Cumulus Linux 3.7 Release Notes

Follow

Overview

These release notes support the Cumulus Linux 3.7.0 through 3.7.9 releases and describe currently available features and known issues.

Stay up to Date

  • Sign in and click Follow above to receive a notification when we update these release notes.
  • Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
  • Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.

{{table_of_contents}}

What's New in Cumulus Linux 3.7

Cumulus Linux 3.7.9 contains new bug fixes, and several new features and improvements:

Cumulus Linux 3.7.8 contains bug fixes and the following new transceivers:

  • Mellanox 100G-PSM4 (MMS1C10-CM)
  • Wave Splitter WST-QS28-CM4C-D (100G-CWDM4-OCP) and WST-QS28-CM4-C (100G CWDM4)

Cumulus Linux 3.7.7 contains bug fixes only.

Cumulus Linux 3.7.6 contains bug fixes, and the following new platform and power supply:

  • Dell N3048EP-ON (1G PoE Helix4)
    Note: Depending upon the revision of the switch you have, you may not be able to install Cumulus Linux on it. For more information, read this knowledge base article.
  • 48V DC PSU for the Dell Z9100-ON switch

Cumulus Linux 3.7.5 fixes an issue with EVPN centralized routing on Tomahawk and Tomahawk+ switches (RN-1353), an issue with switchd when IGMP snooping is enabled on a Broadcom switch (RN-1369) and includes additional security fixes.

Cumulus Linux 3.7.5 replaces Cumulus Linux 3.7.4 and includes all the new features and resolved issues from Cumulus Linux 3.7.4.

Cumulus Linux 3.7.4 is no longer available due to severe issues that are resolved in Cumulus Linux 3.7.5.

Cumulus Linux 3.7.4 contains a number of new platforms, features, and improvements:

Cumulus Linux 3.7.3 contains a number of new platforms, features, and improvements:

  • New platforms include:
    • Dell Z9264F-ON (100G Broadcom Tomahawk2)
    • Edgecore AS7816-64X (100G Broadcom Tomahawk2)
    • Edgecore AS7726-32X (100G Broadcom Trident3)
    • Edgecore AS7326-56X (25G Broadcom Trident3)
    • HPE SN2700M (100G Mellanox Spectrum)
    • HPE SN2100M (100G Mellanox Spectrum)
    • HPE SN2410M (25G Mellanox Spectrum)
    • Lenovo NE0152TO (1G Broadcom Helix4) now generally available
    • Penguin Arctica NX4804x (10G Broadcom Maverick)
  • The EVPN duplicate address detection freeze option lets you freeze a duplicate address permanently or for a certain amount of time
  • The Cumulus Hyperconverged Solution (HCS) supports automated integration with the Nutanix Prism Management solution and the Nutanix AHV hypervisor

Cumulus Linux 3.7.2 contains a number of new platforms, features and improvements:

Cumulus Linux 3.7.1 contains bug fixes only.

Cumulus Linux 3.7.0 contains a number of new platforms, features and improvements:

Licensing

Cumulus Linux is licensed on a per-instance basis. Each network system is fully operational, enabling any capability to be utilized on the switch with the exception of forwarding on switch panel ports. Only eth0 and console ports are activated on an un-licensed instance of Cumulus Linux. Enabling front panel ports requires a license.

After you receive a license key from Cumulus Networks or an authorized reseller, you can install the license. Follow the steps in the Cumulus Linux Quick Start Guide.

Install or Upgrade to Version 3.7

Whether you are installing Cumulus Linux 3.7 for the first time or upgrading from an earlier version, follow the steps in the Installation Management section of the Cumulus Linux User Guide.

Before You Upgrade from Cumulus Linux 3.7.3 or Earlier

If you are using apt to upgrade to Cumulus Linux 3.7.4 or later, you must install the cumulus-trim package before upgrading. See release note 1317 below and this Cumulus Networks product bulletin.

Update a Deployment that Has MLAG Configured

If you are using MLAG to dual connect two switches in your environment, and those switches are still running Cumulus Linux 2.5 ESR or any other release earlier than 3.0.0, the switches will not be dual-connected after you upgrade the first switch. To ensure a smooth upgrade, follow the steps in the Upgrading Cumulus Linux topic of the Cumulus Linux User Guide.

Perl, Python and BDB Modules

Any Perl scripts that use the DB_File module or Python scripts that use the bsddb module do not run under Cumulus Linux 3.7.

Documentation

You can read the technical documentation here.

Issues Fixed in Cumulus Linux 3.7.9

The following issues are fixed in Cumulus Linux 3.7.9.

Release Note ID Summary Description

RN-757 (CM-18537)
On Mellanox switches, congestion drops are not counted

Drops due to congestion do not appear to be counted on Mellanox switches.

To work around this issue, run the sudo ethtool -S swp1 command to collect interface traffic statistics.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1003 (CM-21511)
IGMP queries are not sent if a VXLAN is declared before the bridge in the /etc/network/interfaces file

If a VNI is configured before the bridge in /etc/network/interfaces, the switch does not send IGMP queries.

To work around this issue, edit the /etc/network/interfaces file to define the bridge before the VNI. For example:

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto lo
iface lo inet loopback
    address 10.26.10.11/32

auto swp9
iface swp9
  bridge-access 100

auto swp10
iface swp10
    bridge-access 100 

auto bridge
iface bridge
   bridge-ports swp9 swp10 vni-10
   bridge-vids 100
   bridge-vlan-aware yes
   bridge-mcquerier 1

auto vni-10
iface vni-10
    vxlan-id 10
    vxlan-local-tunnelip 10.0.0.11
    bridge-access 100

auto bridge.100
vlan bridge.100
  bridge-igmp-querier-src 123.1.1.1

auto vlan100
iface vlan100
    address 10.26.100.2/24
    vlan-id 100
    vlan-raw-device bridge

This issue is fixed in Cumulus Linux 3.7.9.


RN-1061 (CM-22203)
HTTP API enabled and listening by default

By default, the nginx server used for the HTTP API on port 8080 is enabled, but does not listen to external requests. However, it appears to be listening and answering external requests.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1129 (CM-22608)
On Mellanox Spectrum and Helix4 switches, sFlow sends malformed packets and no flow samples

Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).

This issue is fixed for switches with the Spectrum ASIC in Cumulus Linux 3.7.9. However, this is a known limitation on this Helix4 platform. See the Cumulus Linux User Guide.


RN-1202 (CM-23398)
Debian Security Advisory DSA 4359-1 for wireshark CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 CVE-2018-19622 CVE-2018-19623 CVE-2018-19624 CVE-2018-19625 CVE-2018-19626 CVE-2018-19627 CVE-2018-19628

The following CVEs were announced in Debian Security Advisory DSA-4359-1 and affect the wireshark package.

All CVEs except for CVE-2018-12086 are fixed in Cumulus Linux 3.7.9.

CVE-2018-12086 will be fixed in a future Cumulus Linux release.

-----------------------------------------------------------------------------------

Debian Security Advisory DSA-4359-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 27, 2018 https://www.debian.org/security/faq

----------------------------------------------------------------------------------

Package: wireshark

CVE ID: CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 CVE-2018-19622 CVE-2018-19623 CVE-2018-19624 CVE-2018-19625 CVE-2018-19626 CVE-2018-19627 CVE-2018-19628

Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer, which could result in denial of service or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in version 2.6.5-1~deb9u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/wireshark


RN-1219 (CM-23523)
NCLU show_linux_command = True does not show linux commands

Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1223 (CM-20966)
LLDP information is missing for a switch port when you run net show interface

The NCLU net show lldp and net show interface commands do not show LLDP information for swp* (eth is unaffected).

This issue is fixed in Cumulus Linux 3.7.9.


RN-1240 (CM-23285)
Moving an interface from a bridge to a VRF in one commit fails to create an IPv6 link-local address

When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically.

To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1256 (CM-23652)
net show bridge spanning-tree does not show the MLAG peer link in an STP forwarding instance

The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance:

This issue is fixed in Cumulus Linux 3.7.9.


RN-1343 (CM-22834)
Some IPv6 BGP peers fail to reestablish after a switchd restart

In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1385 (CM-23636)
Debian Security Advisory DSA 4371-1 for apt CVE-2019-3462

The following CVEs were announced in Debian Security Advisory DSA-4436-1 and affect the imagemagick packages.

This issue is fixed in Cumulus Linux 3.7.9.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4371-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

January 22, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Max Justicz discovered a vulnerability in APT, the high level package manager.

The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:

apt -o Acquire::http::AllowRedirect=false update

apt -o Acquire::http::AllowRedirect=false upgrade

The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire.

This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:

apt -o Acquire::http::AllowRedirect=false update

apt -o Acquire::http::AllowRedirect=false upgrade

This is known to break some proxies when used against security.debian.org. If that happens, you can switch your security APT source to use deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main. For the stable distribution (stretch), this problem has been fixed in version 1.4.9.


RN-1388 (CM-24593)
On the Dell S5248F switch, packets forwarded to the CPU are sometimes corrupted

On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack.

To work around this issue, restart switchd.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1413 (CM-24544)
clagd-vxlan-anycast-ip not removed until clagd restart

If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1427 (CM-23431)
On Trident3 switches, the input chain ACL drop action does not drop packets if the traffic is destined to CPU on an SVI

On the Trident3 switch, the input chain ACLs drop action forwards packets if the traffic is destined to the CPU on an SVI.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1440 (CM-25295)
ifquery file syntax check does not return non-zero on failure

The ifquery command should return a non-zero value if there is a syntax error. However, it currently returns zero. This issue affects automation scripts that validate a file before copying it into place.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1441 (CM-25284)
The clagd service fails silently when you run ifreload -a if the sys-mac leading zero is not included

If you configure a sys-mac with a single digit, ifreload -a does not indicate that the MAC address is invalid for the MLAG sys-mac and the clagd process fails silently.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1442 (CM-25240)
ifreload -a detects a mismatch on address-virtual if the leading zero is not included

If the address-virtual MAC address is missing a leading zero in the last octet, the interface bounces.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1458 (CM-25358)
ifdownup2 does not remove/bring down the VRR (-v0) interface when issuing link-down on physical SVI

When you configure the link-down yes attribute to a physical SVI, the VRR (-v0) interface is not brought down, and the locally-connected subnet can still be redistributed into routing protocols and advertised to neighbors despite the physical SVI being administratively down.

To work around this issue, manually bring down the VRR (-v0) interface with the ip link set dev command. For example:

cumulus@switch:~$  sudo ip link set dev vlan1755-v0 down

This issue is fixed in Cumulus Linux 3.7.9.


RN-1468 (CM-25343)
Debian Security Advisory DSA-4465-1 for linux kernel CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884

The following CVEs were announced in Debian Security Advisory DSA-4465-1 and affect the linux kernel.

This issue is fixed in Cumulus Linux 3.7.9.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4465-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 17, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package: linux

CVE ID: CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884

Debian Bug: 928989

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2019-3846, CVE-2019-10126

huangwen reported multiple buffer overflows in the Marvell wifi (mwifiex) driver, which a local user could use to cause denial of service or the execution of arbitrary code.

CVE-2019-5489

Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh discovered that local users could use the mincore() system call to obtain sensitive information from other processes that access the same memory-mapped file.

CVE-2019-9500, CVE-2019-9503

Hugues Anguelkov discovered a buffer overflow and missing access validation in the Broadcom FullMAC wifi driver (brcmfmac), which an attacker on the same wifi network could use to cause denial of service or the execution of arbitrary code.

CVE-2019-11477

Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) allows a remotely triggerable kernel panic.

CVE-2019-11478

Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) will fragment the TCP retransmission queue, allowing an attacker to cause excessive resource usage.

CVE-2019-11479

Jonathan Looney reported that an attacker could force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data, drastically increasing the bandwidth required to deliver the same amount of data. This update introduces a new sysctl value to control the minimal MSS (net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard-coded value of 48. We recommend raising this to 536 unless you know that your network requires a lower value.

CVE-2019-11486

Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled.

CVE-2019-11599

Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation.

CVE-2019-11815

It was discovered that a use-after-free in the Reliable Datagram Sockets protocol could result in denial of service and potentially privilege escalation. This protocol module (rds) is not auto-loaded on Debian systems, so this issue only affects systems where it is explicitly loaded.

CVE-2019-11833

It was discovered that the ext4 filesystem implementation writes uninitialised data from kernel memory to new extent blocks. A local user able to write to an ext4 filesystem and then read the filesystem image, for example using a removable drive, might be able to use this to obtain sensitive information.

CVE-2019-11884

It was discovered that the Bluetooth HIDP implementation did not ensure that new connection names were null-terminated. A local user with CAP_NET_ADMIN capability might be able to use this to obtain sensitive information from the kernel stack.

For the stable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u3.

We recommend that you upgrade your linux packages.

For the detailed security status of linux, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/linux


RN-1472 (CM-25395)
The NCLU command net del all changes the exec-timeout in /etc/frr/frr.conf

When you run the NCLU net del all command, the exec-timeout setting changes in the /etc/frr.frr.conf file.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1475 (CM-25489)
BGP remove-private-AS replace-AS configuration on a pair of switches might cause a BGP flap due to updates

When BGP remove-private-AS replace-AS is configured under the BGP IPv4 or IPv6 address family between a pair of switches configured as BGP peers, a BGP route update might cause the BGP session to flap.

To work around this issue, do not configure remove-private-AS replace-AS in the BGP IPv4 or IPv6 address family.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1479 (CM-25610)
Under specific circumstances, the mandatory nexthop attribute in the BGP update packet is missing

BGP update packets are sometimes missing the mandatory nexthop attribute, which causes connections to reset. For example, this issue is seen when using VRF route leaking with a mix of BGP unnumbered and BGP numbered peers.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1490 (CM-25417)
The link-local neighbor entry is not created with IPv4 routes over IPv6 GUA peering, resulting in a forwarding failure

The IP neighbor entry for a link-local next hop (169.254.x.x) is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.

To work around this issue, flap the peering to the peer router (which can be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1492 (CM-24784)
NCLU command cannot delete BGP neighbor configuration if there is a VRF VNI mapping in the /etc/frr/frr.conf file

NCLU is unable to delete a BGP neighbor configuration if there is a VRF VNI mapping in the /etc/frr/frr.conf file. For example, the following NCLU command produces an error:

cumulus@leaf01$ net del bgp neighbor swp5 interface peer-group spine
'router bgp 65001' configuration does not have 'neighbor swp5 interface peer-group spine'

This issue is fixed in Cumulus Linux 3.7.9.


RN-1493 (CM-25664)
On Trident3 switches, you cannot program more than 50 percent ASIC capacity of ECMP next hops

On the Trident3 platform, you can only add 50 percent of the total ECMP next hops. A log message indicates that the table is full.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1496 (CM-25783)
onie-install stages installer even if checksum validation fails

Cumulus Linux installer images have a shell script that validates checksum integrity. When you run onie-install, this check is run but the installer is still staged even if the checksum validation fails.

To work around this issue, perform your own checksum validation before staging a new image with onie-install.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1518 (CM-25770)
On Tomahawk switches, 40G DACs with auto-negotiation enabled are programmed as 20G KR2 in hardware

On a Tomahawk switch, the 5m 40G DACs (40G CR4) do not come up when both sides have auto-negotiation enabled.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1524 (CM-25754)
ARP replies are not forwarded as VXLAN over VXLAN

A port that is used as both a double tag interface and a VXLAN access side interface does not forward correctly; VXLAN decapsulation is does not occur.

This issue is fixed in Cumulus Linux 3.7.9. However, do not configure double tagged interfaces on VXLAN uplink ports as this will cause VXLAN routing issues.


RN-1525 (CM-25684)
FEC is not reapplied after switchd restart

For interfaces configured with RS FEC, when switchd is restarted, the link goes down but does not automatically come back up. This occurs because the FEC status is not replayed correctly into the kernel.

To work around this issue, run the ifreload -a command to bring up the interface after switchd is restarted.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1526 (CM-25488)
On Broadcom switches, VXLAN decapsulation routing next-hop is incorrectly programmed after VNI protodown (wrong GPORT)

On Broadcom-based VXLAN routing capable platforms, VXLAN traffic received at the egress VTEP might drop because the hardware is mis-programming. This issue is related to timing and is not easily reproduced.

This issue might occur after a VXLAN interface (VNI) state transition (the peerlink goes down and puts VNI into a protodown state, then the peerlink comes back and the VNI returns to UP) and is related to how the next-hop information is programmed in hardware. Sometimes the host routes corresponding to this VXLAN segment are mis-programmed with the wrong next hop information.

To work around this issue, restart the switchd service with the sudo systemctl restart switchd.service command.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1538 (CM-26062)
Debian Security Advisory DSA-4505-1 for nginx CVE-2019-9511 CVE-2019-9513 CVE-2019-9516

The following CVEs were announced in Debian Security Advisory DSA-4505-1 and affect the nginx package.

This issue is fixed in Cumulus Linux 3.7.9.

------------------------------------------------------------------------------------

Debian Security Advisory DSA-4505-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 22, 2019 https://www.debian.org/security/faq

-----------------------------------------------------------------------------------

Package: nginx

CVE ID: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516

Three vulnerabilities were discovered in the HTTP/2 code of Nginx, a high-performance web and reverse proxy server, which could result in denial of service.

For the oldstable distribution (stretch), these problems have been fixed in version 1.10.3-1+deb9u3.

For the stable distribution (buster), these problems have been fixed in version 1.14.2-2+deb10u1.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nginx


RN-1539 (CM-25956)
Debian Security Advisory DSA-4499-1 for ghostscript DSA-4499-1 CVE-2019-10216

The following CVEs were announced in Debian Security Advisory DSA-4499-1 and affect the ghostscript package.

This issue is fixed in Cumulus Linux 3.7.9.

---------------------------------------------------------------------------------------

Debian Security Advisory DSA-4499-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 12, 2019 https://www.debian.org/security/faq

---------------------------------------------------------------------------------------

Package: ghostscript

CVE ID: CVE-2019-10216

Debian Bug: 934638

Netanel reported that the .buildfont1 procedure in Ghostscript, the GPL PostScript/PDF interpreter, does not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox.

For the oldstable distribution (stretch), this problem has been fixed in version 9.26a~dfsg-0+deb9u4.

For the stable distribution (buster), this problem has been fixed in version 9.27~dfsg-2+deb10u1.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript


RN-1540 (CM-25944)
Debian Security Advisory DSA 4495 DSA 4497 for linux kernel CVE-2015-8553

The following CVEs were announced in Debian Security Advisory DSA-4495 and DSA 4497 and affect the linux kernel package.

This issue is fixed in Cumulus Linux 3.7.9.

---------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4495-1 security@debian.org

https://www.debian.org/security/ Ben Hutchings

August 10, 2019 https://www.debian.org/security/faq

---------------------------------------------------------------------------------------------

Package: linux

CVE ID: CVE-2018-20836 CVE-2019-1125 CVE-2019-1999 CVE-2019-10207 CVE-2019-10638 CVE-2019-12817 CVE-2019-12984 CVE-2019-13233 CVE-2019-13631 CVE-2019-13648 CVE-2019-14283 CVE-2019-14284

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2015-8553

Jan Beulich discovered that CVE-2015-2150 was not completely addressed. If a PCI physical function is passed through to a Xen guest, the guest is able to access its memory and I/O regions before enabling decoding of those regions. This could result in a denial-of-service (unexpected NMI) on the host. The fix for this is incompatible with qemu versions before 2.5.

(CVE ID not yet assigned)

Denis Andzakovic reported a missing type check in the IPv4 multicast routing implementation. A user with the CAP_NET_ADMIN capability (in any user namespace) could use this for denial-of-service (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-5995

ADLab of VenusTech discovered that the kernel logged the virtual addresses assigned to per-CPU data, which could make it easier to exploit other vulnerabilities.

CVE-2018-20836

chenxiang reported a race condition in libsas, the kernel subsystem supporting Serial Attached SCSI (SAS) devices, which could lead to a use-after-free. It is not clear how this might be exploited.

CVE-2019-1125

It was discovered that most x86 processors could speculatively skip a conditional SWAPGS instruction used when entering the kernel from user mode, and/or could speculatively execute it when it should be skipped. This is a subtype of Spectre variant 1, which could allow local users to obtain sensitive information from the kernel or other processes. It has been mitigated by using memory barriers to limit speculative execution. Systems using an i386 kernel are not affected as the kernel does not use SWAPGS.

CVE-2019-1999

A race condition was discovered in the Android binder driver, which could lead to a use-after-free. If this driver is loaded, a local user might be able to use this for denial-of-service (memory corruption) or for privilege escalation.

CVE-2019-1125

It was discovered that most x86 processors could speculatively skip a conditional SWAPGS instruction used when entering the kernel from user mode, and/or could speculatively execute it when it should be skipped. This is a subtype of Spectre variant 1, which could allow local users to obtain sensitive information from the kernel or other processes. It has been mitigated by using memory barriers to limit speculative execution. Systems using an i386 kernel are not affected as the kernel does not use SWAPGS.

CVE-2019-3882

It was found that the vfio implementation did not limit the number of DMA mappings to device memory. A local user granted ownership of a vfio device could use this to cause a denial of service (out-of-memory condition).

CVE-2019-3900

It was discovered that vhost drivers did not properly control the amount of work done to service requests from guest VMs. A malicious guest could use this to cause a denial-of-service (unbounded CPU usage) on the host.

CVE-2019-10207

The syzkaller tool found a potential null dereference in various drivers for UART-attached Bluetooth adapters. A local user with access to a pty device or other suitable tty device could use this for denial-of-service (BU G/oops).

CVE-2019-10638

Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function, "jhash". This could enable tracking individual computers as they communicate with different remote servers and from different networks. The "siphash" function is now used instead.

CVE-2019-10639

Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function that incorporated a kernel virtual address. This hash function is no longer used for IP IDs, although it is still used for other purposes in the network stack.

CVE-2019-12817

It was discovered that on the PowerPC (ppc64el) architecture, the hash page table (HPT) code did not correctly handle fork() in a process with memory mapped at addresses above 512 TiB. This could lead to a use-after-free in the kernel, or unintended sharing of memory between user processes. A local user could use this for privilege escalation. Systems using the radix MMU, or a custom kernel with a 4 KiB page size, are not affected.

CVE-2019-12984

It was discovered that the NFC protocol implementation did not properly validate a netlink control message, potentially leading to a null pointer dereference. A local user on a system with an NFC interface could use this for denial-of-service (BUG/oops).

CVE-2019-13233

Jann Horn discovered a race condition on the x86 architecture, in use of the LDT. This could lead to a use-after-free. A local user could possibly use this for denial-of-service.

CVE-2019-13631

It was discovered that the gtco driver for USB input tablets could overrun a stack buffer with constant data while parsing the device's descriptor. A physically present user with a specially constructed USB device could use this to cause a denial-of-service (BUG/oops), or possibly for privilege escalation.

CVE-2019-13648

Praveen Pandey reported that on PowerPC (ppc64el) systems without Transactional Memory (TM), the kernel would still attempt to restore TM state passed to the sigreturn() system call. A local user could use this for denial-of-service (oops).

CVE-2019-14283

The syzkaller tool found a missing bounds check in the floppy disk driver. A local user with access to a floppy disk device, with a disk present, could use this to read kernel memory beyond the I/O buffer, possibly obtaining sensitive information.

CVE-2019-14284

The syzkaller tool found a potential division-by-zero in the floppy disk driver. A local user with access to a floppy disk device could use this for denial-of-service (oops).

(CVE ID not yet assigned)

Denis Andzakovic reported a possible use-after-free in the TCP sockets implementation. A local user could use this for denial-of-service (memory corruption or crash) or possibly for privilege escalation.

(CVE ID not yet assigned)

The netfilter conntrack subsystem used kernel addresses as user-visible IDs, which could make it easier to exploit other security vulnerabilities.

XSA-300

Julien Grall reported that Linux does not limit the amount of memory which a domain will attempt to baloon out, nor limits the amount of "foreign / grant map" memory which any individual guest can consume, leading to denial of service conditions (for host or guests).

For the oldstable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u5.

For the stable distribution (buster), these problems have been fixed in version 4.19.37-5+deb10u2.

For the oldstable distribution (stretch), these problems will be fixed soon.

We recommend that you upgrade your linux packages.

For the detailed security status of linux, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/linux


RN-1541 (CM-25784)
Debian Security Advisory DSA-4489-1 CVE-2019-13636 CVE-2019-13638

The following CVEs were announced in Debian Security Advisory DSA-4489-1.

This issue is fixed in Cumulus Linux 3.7.9.

---------------------------------------------------------------------------------------

Debian Security Advisory DSA-4489-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 27, 2019 https://www.debian.org/security/faq

---------------------------------------------------------------------------------------

Package: patch

CVE ID: CVE-2019-13636 CVE-2019-13638

Debian Bug: 932401 933140

Imre Rad discovered several vulnerabilities in GNU patch, leading to shell command injection or escape from the working directory and access and overwrite files, if specially crafted patch files are processed. This update includes a bugfix for a regression introduced by the patch to address CVE-2018-1000156 when applying an ed-style patch (#933140).

For the oldstable distribution (stretch), these problems have been fixed in version 2.7.5-1+deb9u2.

For the stable distribution (buster), these problems have been fixed in version 2.7.6-3+deb10u1.

We recommend that you upgrade your patch packages.

For the detailed security status of patch please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/patch


RN-1542 (CM-24963)
Debian Security Advisory DSA-4440-1 for bind9 CVE-2018-5743 CVE-2018-5745 CVE-2019-6465

The following CVEs were announced in Debian Security Advisory DSA-4440-1.

This issue is fixed in Cumulus Linux 3.7.9.

---------------------------------------------------------------------------------------

Debian Security Advisory DSA-4440-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

May 09, 2019 https://www.debian.org/security/faq

---------------------------------------------------------------------------------------

Package: bind9

CVE ID: CVE-2018-5743 CVE-2018-5745 CVE-2019-6465

Multiple vulnerabilities were found in the BIND DNS server:

CVE-2018-5743

Connection limits were incorrectly enforced.

CVE-2018-5745

The "managed-keys" feature was susceptible to denial of service by triggering an assert.

CVE-2019-6465

ACLs for zone transfers were incorrectly enforced for dynamically loadable zones (DLZs).

For the stable distribution (stretch), these problems have been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u5.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/bind9


RN-1543 (CM-23114)
Debian Security Advisory DSA-4347-1 for perl CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314

The following CVEs were announced in Debian Security Advisory DSA-4347-1.

This issue is fixed in Cumulus Linux 3.7.9.

--------------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4347-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

November 29, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------------------------------

Package: perl

CVE ID: CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314

Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2018-18311

Jayakrishna Menon and Christophe Hauser discovered an integer overflow vulnerability in Perl_my_setenv leading to a heap-basedbuffer overflow with attacker-controlled input.

CVE-2018-18312

Eiichi Tsukata discovered that a crafted regular expression could cause a heap-based buffer overflow write during compilation, potentially allowing arbitrary code execution.

CVE-2018-18313

Eiichi Tsukata discovered that a crafted regular expression could cause a heap-based buffer overflow read during compilation which leads to information leak.

CVE-2018-18314

Jakub Wilk discovered that a specially crafted regular expression could lead to a heap-based buffer overflow.

For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u5.

We recommend that you upgrade your perl packages.

For the detailed security status of perl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/perl


RN-1544 (CM-23096)
Debian Securit Advisory DSA-4346-1 DSA-4372-1 for ghostscript CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477 CVE-2019-6116

The following CVEs were announced in Debian Security Advisory DSA-4372-1.

This issue is fixed in Cumulus Linux 3.7.9.

--------------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4346-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

November 27, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------------------------------

Package: ghostscript

CVE ID: CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477

Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled). This update rebases ghostscript for stretch to the upstream version 9.26 which includes additional changes.

For the stable distribution (stretch), these problems have been fixed in version 9.26~dfsg-0+deb9u1.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript


RN-1545 (CM-20809)
Debian Security Advisory for ghostscript CVE-2016-10317 CVE-2018-10194

The following CVEs were announced in a Debian Security Advisory.

This issue is fixed in Cumulus Linux 3.7.9.

--------------------------------------------------------------------------------------------------

It was discovered that Ghostscript incorrectly handled certain PostScript files. An attacker could possibly use this to cause a denial of server. (CVE-2016-10317)

It was discovered that Ghostscript incorrectly handled certain PDF files. An attacker could possibly use this to cause a denial of service. (CVE-2018-10194)

Debian CVE links: https://security-tracker.debian.org/tracker/CVE-2016-10317 and

https://security-tracker.debian.org/tracker/CVE-2018-10194


RN-1546 (CM-19960)
Debian Security Advisory DSA-4131 for xen CVE-2018-7540 CVE-2018-7541

The following CVEs were announced in Debian Security Advisory DSA-4131.

This issue is fixed in Cumulus Linux 3.7.9.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4131-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 04, 2018 https://www.debian.org/security/faq

------------------------------------------------------------------------------------------

Package: xen

CVE ID: CVE-2018-7540 CVE-2018-7541 CVE-2018-7542

Multiple vulnerabilities have been discovered in the Xen hypervisor:

CVE-2018-7540

Jann Horn discovered that missing checks in page table freeing may result in denial of service.

CVE-2018-7541

Jan Beulich discovered that incorrect error handling in grant table checks may result in guest-to-host denial of service and potentially privilege escalation.

CVE-2018-7542

Ian Jackson discovered that insufficient handling of x86 PVH guests without local APICs may result in guest-to-host denial of service.

For the stable distribution (stretch), these problems have been fixed in version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5.

We recommend that you upgrade your xen packages.

For the detailed security status of xen please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/xen


RN-1548 (CM-25619)
Routing issue on Broadcom switches when adding a new VNI in an asymmetric or centralized EVPN configuration

After configuring switchd hal.bcm.per_vlan_router_mac_lookup to TRUE on a Broadcom switch, new VNI, layer 2 traffic works over VXLAN but the host is not able to ping the locally connected gateway and loses routing ability to other IPs and subnets.

This issue is fixed in Cumulus Linux 3.7.9.

The following issues were added on September 13, 2019.

RN-1297 (CM-24092)
Facebook Backpack PSU monitoring occasionally replies with N/A value or FAULT ALARM instead of integers

On the Facebook Backpack switch, you sometimes see unparsible sensor value "FAULT ALARM" and /or state changed from OK to ABSENT in the /var/log/syslog file.

This is a known limitation in the platform and is now documented in the user guide.


RN-1558 (CM-24440)
bgpd dumps core at zclient_send_interface_radv_req

This issue has to do with how FRRouting checks next hops.

This issue is fixed in Cumulus Linux 3.7.9 and has been pushed upstream to FRRouting.


RN-1436 (CM-25079)
snmpd double free memory crash in agentx_master_handler

The snmpd service exits with a message similar to the following:

Error in `/usr/sbin/snmpd': double free or corruption (fasttop): 0x00000000018a4e50 ***

This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.

To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command.

agentxperms 777 777 snmp snmp
agentxsocket /var/agentx/master

If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file:

pass_persist 1.3.6.1.2.1.15 /usr/share/snmp/bgp4_pp.py

This issue is fixed in Cumulus Linux 3.7.9.

The following new issues were added on October 4, 2019.

RN-1566 (CM-26073)
watchfrr calls sudo /usr/sbin/service frr restart bgpd, which restarts all FRR daemons

watchfrr calls sudo /usr/sbin/service frr restart bgpd but restarts all FRR daemons which can cause a large outage. This occurs because watchfrr uses an old style service command, which causes all daemons to restart when a daemon fails.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1567 (CM-26022)
With the UFT lpm-equal profile, IPv6 long routes are limited to 16K

When using the UFT lpm-equal profile, IPv6 routes are limited to 16K.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1568 (CM-25979)
Route leaking between default BGP instance and another instance fails after FRR restart

Dynamic route leaking works as expected until FRR is restarted or the switch is rebooted. After the restart or reboot, the import RT under the VRF where routes are being imported is incorrect.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1569 (CM-25674)
On Mellanox switches, policer iptables are not working

On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1570 (CM-25735)
VNIs briefly go protodown when rebooted MLAG peer comes back up

When MLAG is re-establishing its peering after a member reboot, the VNIs on the peer briefly go into a protodown state. This can cause complete down time to dually connected hosts as the member coming back up is still in initDelay. This issue does resolve itself as the VNIs do come back up within ten seconds.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1571 (CM-25646)
ifupdown2 does not remove IP address when moving from 'address' line to 'inet dhcp' and issuing 'ifreload -a'

When moving an IP address from the address line to inet dhcp, then issuing the ifreload -a command, the old address is not removed from the interface. NCLU still reports the old address only and reports it as a DHCP address.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1572 (CM-25432)
snmpd double free memory or corruption crash in free_agent_snmp_session

The snmpd service frequently crashes due to double free or corruption.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1573 (CM-25414)
On Mellanox SN2410 switches, switchd fails to start

On the Mellanox SN2410 switch, switchd does not start.

This issue is fixed in Cumulus Linux 3.7.9.


RN-1574 (CM-25467)
Debian Security Advisory DSA-4472-1 for expat (libexpat1) CVE-2018-20843

The following CVEs were announced in Debian Security Advisory DSA-4472-1 and affect the expat (libexpat1) package.

This issue is fixed in Cumulus Linux 3.7.9.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4472-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 28, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------

Package: expat

CVE ID: CVE-2018-20843

Debian Bug: 931031

It was discovered that Expat, an XML parsing C library, did not properly handled XML input including XML names that contain a large number of colons, potentially resulting in denial of service.

For the stable distribution (stretch), this problem has been fixed in version 2.2.0-2+deb9u2.

We recommend that you upgrade your expat packages.

For the detailed security status of expat, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/expat

The following new issues were added on October 18, 2019.


RN-762 (CM-15677)
SBUS error warnings on Tomahawk switches

SBUS error warnings display on Tomahawk switches.

This issue could not be reproduced.


RN-788 (CM-19381)
dhcrelay does not bind to interfaces that have names longer than 14 characters

The dhcrelay command does not bind to an interface if the interface's name is longer than 14 characters.

To work around this issue, change the interface name to be 14 or fewer characters if dhcrelay is required to bind to it.

This is a known limitation in dhcrelay and is documented in the Cumulus Linux user guide.


RN-942 (CM-20693)
In NCLU, you can only set the community number in a route map

In NCLU, you can only set the community number in a route map. You cannot set other community options such as no-export, no-advertise, or additive.

This is a known limitation in network-docopt and is documented in the Cumulus Linux user guide.


RN-1084 (CM-22252)
No PSU sensors/smonctl support for Edgecore OMP-800

On the Edgecore OMP-800, there is no Power Supply information from the sensor or from smonctl.

The platform driver has support for the PSUs but this was not added to the sensors infrastructure.

This is a known limitation on the OMP-800 platform.


RN-1232 (CM-23372)
DHCP Relay does not work with traditional bridges

DHCP Relay does not work on traditional bridges. The DHCP Discover message is forwarded as unicast to the DHCP server and the Offer is received correctly, but is not forwarded to the client.

To work around this issue, make sure that the name of the bridge is no longer than 14 characters and change the name of the bridge if necessary.

This is a known limitation in dhcrelay and is documented in the Cumulus Linux user guide.


RN-1485 (CM-20864)
The NCLU command to configure route leaking fails if the VRF is named 'red'

The NCLU command to configure route leaking fails if the VRF is named red. This is not a problem if the VRF is named RED (uppercase letters) or has a name other than red.

To work around this issue, rename the VRF or run the vtysh command instead.

This is a known limitation in network-docopt and is documented in the Cumulus Linux user guide.

New Known Issues in Cumulus Linux 3.7.9

The following issues affect the Cumulus Linux 3.7.9 release.

Release Note ID Summary Description

RN-1559 (CM-26200)
Debian Security Advisory for systemd-resolved CVE-2019-15718

The following CVEs were announced that affect the systemd-resolved package. Cumulus Linux does not enable systemd-resolved by default, so Cumulus Linux is not vulnerable as shipped.

Name CVE-2019-15718

Description Missing access controls on systemd-resolved's D-Bus interface

Source CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Debian Bugs 939353

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package Release Version Status

systemd (PTS) jessie 215-17+deb8u7 vulnerable

jessie (security) 215-17+deb8u13 vulnerable

stretch (security), stretch 232-25+deb9u11 fixed

buster 241-5 vulnerable

bullseye 242-5 vulnerable

sid 242-6 vulnerable

The information below is based on the following data on fixed versions.

Package Type Release Fixed Version Urgency Origin Debian Bugs

systemd source (unstable) (unfixed) 939353

systemd source stretch (not affected)

Notes

[buster] - systemd <no-dsa> (Minor issue; systemd-resolved not enabled by default)

[stretch] - systemd <not-affected> (Vulnerable code introduced later)

https://www.openwall.com/lists/oss-security/2019/09/03/1

https://github.com/systemd/systemd/pull/13457

https://github.com/systemd/systemd/commit/35e528018f315798d3bffcb592b32a0d8f5162bd

This new issue was added on September 18, 2019.


RN-1560 (CM-26383)
On Broadcom switches, CPU generated traffic egresses access ports with a 802.1Q tag with VLAN ID 0

After upgrading to Cumulus Linux 3.7.9 on a Broadcom switch, CPU generated traffic (such as ICMP, OSPF, ARP, and so on) egresses access ports with a 802.1Q header with a VLAN ID of 0. Other vendors' equipment might drop traffic received with a 802.1Q header tagged with VLAN 0.

To work around this issue, revert to Cumulus Linux 3.7.8.

This is a known issue that is currently being investigated.

Issues Fixed in Cumulus Linux 3.7.8

The following issue is fixed in Cumulus Linux 3.7.8.

Release Note ID Summary Description

RN-1495 (CM-25801)
Using either hostnamectl or the systemd-hostnamed process fills syslog with constant kernel messages, such as unregister_netdevice: waiting for lo to become free. Usage count = 2

When you run the hostnamectl status command or start the systemd-hostnamed process, you see constant unregister_netdevice kernel messages in syslog and on the console. This causes the syslog to become filled with messages and makes troubleshooting difficult.

This issue is fixed in Cumulus Linux 3.7.8.

New Known Issues in Cumulus Linux 3.7.8

The following issues affect the Cumulus Linux 3.7.8 release.

Release Note ID Summary Description

RN-1343 (CM-22834, CM-25930)
Some IPv6 BGP peers might fail to reestablish after a switchd restart

In rare cases, certain IPv6 BGP peers might fail to reestablish after switchd restarts.

This is a regression of an earlier issue and is currently being investigated.

The following new issues were added on September 11, 2019.


RN-1549 (CM-26256)
Extra dictionary in net show evpn vni detail json command output

The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.

This is a known issue that is currently being investigated.


RN-1550 (CM-26230)
The static VXLAN tunnel does not work if the local-tunnelip is an SVI

When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.

This is a known issue that is currently being investigated.


RN-1551 (CM-26229)
You cannot configure multi instance OSPF with NCLU commands

Using NCLU to configure multi instance OSPF does not work.

This is a known issue that is currently being investigated.


RN-1552 (CM-26098)
The net show bridge mac command is case and format sensitive

The net show bridge mac command is case sensitive and format sensitive.

If you use capital letters to search for a specific MAC address, you do not get any results. For example:

cumulus@leaf01:~$ net sh bridge mac AA:BB:CC:DD:EE:FF

VLAN  Master  Interface  MAC  TunnelDest  State  Flags  LastSeen
----  ------  ---------  ---  ----------  -----  -----  --------

A MAC address format other than aa:bb:cc:dd:ee:ff is not valid. For example:

cumulus@leaf01:~$ net sh bridge mac aabbccddeeff
ERROR: Command not found.

    net sh bridge mac aabbccddeeff
                     ^ Invalid value here. Enter MAC address as aa:bb:cc:dd:ee:ff

This is a known issue that is currently being investigated.


RN-1556 (CM-26146)
clagd memory leak

clagd memory consumption increases under certain unknown conditions.

This is a known issue that is currently being investigated.

The following new issues were added on October 4, 2019.

RN-1567 (CM-26022)
With the UFT lpm-equal profile, IPv6 long routes are limited to 16K

When using the UFT lpm-equal profile, IPv6 routes are limited to 16K.

This is a known issue that is currently being investigated.


RN-1570 (CM-25735)
VNIs briefly go protodown when rebooted MLAG peer comes back up

When MLAG is re-establishing its peering after a member reboot, the VNIs on the peer briefly go into a protodown state. This can cause complete downtime to dually connected hosts as the member coming back up is still in initDelay. This issue does resolve itself as the VNIs do come back up within ten seconds.

This is a known issue that is currently being investigated.

Issues Fixed in Cumulus Linux 3.7.7

The following is a list of issues fixed in Cumulus Linux 3.7.7 from earlier versions of Cumulus Linux.

Release Note ID Summary Description

RN-537 (CM-12967)
Pause frames sent by a Tomahawk switch are not honored by the upstream switch

When link pause or priority flow control (PFC) is enabled on a Broadcom Tomahawk-based switch and there is over-subscription on a link, the ASIC sends pause frames aggressively, causing the upstream switch to not throttle enough.

If you need link pause or PFC functionality, you must use a switch that does not use the Tomahawk ASIC.

This issue is fixed in Cumulus Linux 3.7.7.


RN-766 (CM-19006)
On the Broadcom Trident II+, Trident 3, and Maverick platforms, in an external VXLAN routing environment, the switch does not rewrite MAC addresses and TTL, so packets are dropped by the next hop

On the Broadcom Trident II+, Trident 3, and Maverick based switch, in an external VXLAN routing environment, when a lookup is done on the external-facing switch (exit/border leaf) after VXLAN decapsulation, the switch does not rewrite the MAC addresses and TTL; for through traffic, packets are dropped by the next hop instead of correctly routing from a VXLAN overlay network into a non-VXLAN external network (for example, to the Internet).

This applies to all forms of VXLAN routing (centralized, asymmetric and symmetric) and affects all traffic from VXLAN overlay hosts that need to be routed after VXLAN decapsulation on an exit/border leaf, including:

  • Traffic destined to external networks (through traffic)
  • Traffic destined to the exit leaf SVI address

To work around this issue, on the exit leaf, modify the external-facing interface for each VLAN subinterface by creating a temporary VNI and associating it with the existing VLAN ID.

For example, if the expected interface configuration is:

auto swp3.2001
iface swp3.2001
    vrf vrf1
    address 45.0.0.2/24
# where swp3 is the external facing port and swp3.2001 is the VLAN subinterface

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports vx-4001
    bridge-vids 4001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

Modify the configuration as follows:

auto swp3
iface swp3
    bridge-access 2001
# associate the port (swp3) with bridge 2001

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports swp3 vx-4001 vx-16000000
    bridge-vids 4001 2001
# where vx-4001 is the existing VNI and vx-16000000 is a new temporary VNI
# this is now bridging the port (swp3), the VNI (vx-4001),
# and the new temporary VNI (vx-16000000)
# the bridge VLAN IDs are now 4001 and 2001

auto vlan2001
iface vlan2001
    vlan-id 2001
    vrf vrf1
    address 45.0.0.2/24
    vlan-raw-device bridge
# create a VLAN 2001 with the associated VRF and IP address

auto vx-16000000
iface vx-16000000
    vxlan-id 16000000
    bridge-access 2001
    <... usual vxlan config ...>
# associate the temporary VNI (vx-16000000) with bridge 2001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

If an MLAG pair is used instead of a single exit/border leaf, the same temporary VNIs should be added on both switches of the MLAG pair.

This issue is fixed in Cumulus Linux 3.7.7 on the Broadcom Trident 3 switch.

Note: This issue still exists on the Broadcom Trident II+ and Maverick-based switch.


RN-1036 (CM-21853)
The Trident3 switch does not send out sflow flow samples

The Trident3 switch does not send out sflow flow samples; only counter samples are sent.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1225 (CM-22892)
On the Dell S5248-06 and S5232F switch, systemd-modules-load.service fails and switchd does not start

After a new Cumulus Linux install on the Dell S5248F and S5232F switch or during a soft reboot of these platforms, systemd-modules-load.service and a few other services might fail because switchd does not start. You see the following syslog messages:

kernel: fpga_init: cum_i2c_add_cli(70,sff8436) failed: -6
kernel: Error, FPGA driver NOT registered
kernel: dellemc_s5248f_init: FPGA initialization failed

To prevent this issue, power cycle the switch if a reboot is needed instead of a doing a soft reboot. To work around this issue if it occurs, power cycle the switch to recover.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1235 (CM-23116)
ISIS traffic is forwarded to the CPU and is not forwarded on the bridge

Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped.

To work around this issue, contact Customer Support.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1245 (CM-23657)
Flapping the VNI with ifdown causes the MTU for an SVI to revert to 1500

When you flap a VNI with ifdown vni and ifup vni, the value of all MTUs for the SVI lowers to 1500 regardless of the default value set in the /etc/network/ifupdown2/policy.d/mtu.json file. This behavior does not occur if you flap the link with ip link set vni down.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1258 (CM-23709)
ECMP + LACP bond hashing unbalanced over VXLAN

In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1298 (CM-24047)
ARP requests are being sent with the sender IP address set to 0.0.0.0

The Cumulus Linux switch sometimes sends out ARP request packets with the sender IP address set to 0.0.0.0.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1307 (CM-14975)
On Broadcom switches, you see switchd high CPU utilization even when idle

On Dell S6000 switches, switchd CPU utilization is high (50% and above) even when there is no configuration and it is idle.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1329 (CM-24255)
MDA: Interface specific configuration changes fail if the port is already authorized

The net commit command fails when you try to add a static voice VLAN or delete dot1x configuration for an interface when the port is already authorized.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1332 (CM-24377)
Incorrect readout of the high temperature alarm threshold disables a 100G optical module on Mellanox Spectrum switches

An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1335 (CM-24205)
All ports are removed from the bridge after you delete or add a single port on a traditional bridge

When you delete or add 802.1X configuration on a port in a traditional mode bridge, all the ports are removed from the bridge.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1343 (CM-22834)
Some IPv6 BGP peers fail to reestablish after a switchd restart

After switchd restarts, certain IPv6 BGP peers fail to reestablish.

This issue is a regression and is fixed in Cumulus Linux 3.7.7.


RN-1384 (CM-24805)
Debian Security Advisory DSA-4436-1 for imagemagick CVE-2019-9956 CVE-2019-10650

The following CVEs were announced in Debian Security Advisory DSA-4436-1 and affect the imagemagick packages.

This issue is fixed in Cumulus Linux 3.7.7.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4436-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 28, 2019 https://www.debian.org/security/faq

------------------------------------------------------------------------------------------

This update fixes two vulnerabilities in Imagemagick: Memory handling problems and missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed TIFF or Postscript files are processed.

For the stable distribution (stretch), these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u7.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/imagemagick


RN-1389 (CM-24663)
The EdgeCore AS7326-56X cannot read the board EEPROM

On the EdgeCore 7326-56X switch, switchd does not start on initial install because the decode-syseeprom command fails. However in ONIE, onie-syseeprom has no issues.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1390 (CM-24645)
Debian Security Advisory DSA-4433-1 for ruby2.3 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325

The following CVEs were announced in Debian Security Advisory DSA-4433-1 and affect the ruby2.3 package.

This issue is fixed in Cumulus Linux 3.7.7.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4433-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 16, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package : ruby2.3

CVE ID : CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323

CVE-2019-8324 CVE-2019-8325

Several vulnerabilities have been discovered in the Rubygems included in the interpreter for the Ruby language, which may result in denial of service or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u6.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ruby2.3


RN-1391 (CM-24644)
Debian Security Advisory DSA-4432-1 for ghostscript CVE-2019-3835 CVE-2019-3838

The following CVEs were announced in Debian Security Advisory DSA-4432-1 and affect the ghostscript package.

This issue is fixed in Cumulus Linux 3.7.7.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4432-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 16, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package : ghostscript

CVE ID : CVE-2019-3835 CVE-2019-3838

Debian Bug : 925256 925257

Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL PostScript/PDF interpreter, which could result in bypass of file system restrictions of the dSAFER sandbox.

For the stable distribution (stretch), these problems have been fixed in version 9.26a~dfsg-0+deb9u2.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript


RN-1392 (CM-24530)
Debian Security Advisory DSA-4428-1 for systemd CVE-2019-3842

The following CVEs were announced in Debian Security Advisory DSA-4428-1 and affect the systemd package.

This issue is fixed in Cumulus Linux 3.7.7.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4428-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 08, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package : systemd

CVE ID : CVE-2019-3842

Jann Horn discovered that the PAM module in systemd insecurely uses the environment and lacks seat verification permitting spoofing an active session to PolicyKit. A remote attacker with SSH access can take advantage of this issue to gain PolicyKit privileges that are normally only granted to clients in an active session on the local console.

For the stable distribution (stretch), this problem has been fixed in version 232-25+deb9u11.

This update includes updates previously scheduled to be released in the stretch 9.9 point release.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/systemd


RN-1393 (CM-24510)
Debian Security Advisory DSA-4425-1 for wget CVE-2019-5953

The following CVEs were announced in Debian Security Advisory DSA-4425-1 and affect the wget package.

This issue is fixed in Cumulus Linux 3.7.7.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4425-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 05, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package : wget

CVE ID : CVE-2019-5953

Debian Bug : 926389

Kusano Kazuhiko discovered a buffer overflow vulnerability in the handling of Internationalized Resource Identifiers (IRI) in wget, a network utility to retrieve files from the web, which could result in the execution of arbitrary code or denial of service when recursively downloading from an untrusted server.

For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u3.

We recommend that you upgrade your wget packages.

For the detailed security status of wget, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/wget


RN-1394 (CM-24357)
Debian Security Advisory DSA-4416-1 for wireshark CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214

The following CVEs were announced in Debian Security Advisory DSA-4416-1 and affect the wireshark package.

This issue is fixed in Cumulus Linux 3.7.7.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4416-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 24, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package: wireshark

CVE ID: CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 CVE-2019-9208

CVE-2019-9209 CVE-2019-9214

Debian Bug: 923611

It was discovered that Wireshark, a network traffic analyzer, contained several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE, ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of service.

For the stable distribution (stretch), these problems have been fixed in version 2.6.7-1~deb9u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/wireshark


RN-1395 (CM-24607)
VNI configuration change causes the MLAG peer link to be in STP blocking state

When you commit a configuration change to a VXLAN layer 2 VNI in an MLAG configuration, the peer link on the MLAG secondary switch goes into an STP blocking state.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1397 (CM-24526)
On a Trident3 switch, transit packets larger than 1500 bytes(DF) routed between SVIs are unexpectedly forwarded to the CPU even when the MTU is greater than 9000

On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1398 (CM-24523)
MLAG bond may fail to inherit the MLAG system MAC, causing one member to be excluded from the MLAG interface

This might be a timing issue, where an MLAG bond might come up and fail to inherit the configured MLAG system MAC address for the LACP identifier. This causes the remote side of the bond to choose one of the bond members and keep the other member down because, without the shared system MAC, each device is trying to bring up the bond using the interface MAC.

It is fairly easy to identify this issue, as the LACP ID does not match the MLAG system MAC.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1399 (CM-23952)
ifupdown2 user policy overrides do not apply if multiple files reference same module

If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1400 (CM-24606)
Issuing reload frr to apply BFD timer changes in /etc/frr/frr.conf results in a neighbor flap

If you modify BFD timers in the /etc/frr/frr.conf file, then run the systemctl reload frr command, the neighbor connections flap.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1403 (CM-24676)
On the Dell S3048 switch, cached FEC shows as BaseR on boot up even though FEC is off

On the Dell S3048 switch, ports with FEC disabled show as BaseR on boot up.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1407 (CM-24484)
Removing the 'import vrf' statement from a BGP VRF instance without the default BGP instance defined causes bgpd to crash

If you have dynamic route leaking configured between any two VRFs and the BGP instance for the default VRF is not defined, removing an import vrf statement crashes bgpd. This occurs even if neither of the leaking VRFs are the default VRF.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1410 (CM-24824)
DHCP relay crashes with the -nl flag when the server returns an offer

The dhcrelay service crashes when the DHCP relay packet comes back from the server.

To work around this issue, remove the --nl flag from the dhcrelay service.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1419 (CM-19052)
Cumulus VX 3.4.3 and later bundles netq-agent, but CL 3.4.3 and later does not

The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later.

The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release.


RN-1421 (CM-22311)
In an EVPN configuration, you see a switchd error when the bridge goes down

When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error:

2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: 
hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7)
2018-09-06T20:38:20.686105+00:00 dell-s6010-01 switchd[5445]: 
hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 223 mac: 00:00:5e:00:01:01 (-7)
2018-09-06T20:38:20.773581+00:00 dell-s6010-01 switchd[5445]: 
hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 112 mac: 00:00:5e:00:01:01 (-7)
2018-09-06T20:38:20.776986+00:00 dell-s6010-01 switchd[5445]: 
hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 111 mac: 00:00:5e:00:01:01 (-7)

This issue is fixed in Cumulus Linux 3.7.7.


RN-1423 (CM-20189)
clagd OSError: [Errno 12] Cannot allocate memory

Under certain conditions, the clagd process leaks memory, eventually crashes, and then restarts. During this time, traffic flows over this switch are impacted temporarily. The /var/log/clagd.log file shows a message similar to the following:

clagd[1824]: OSError: [Errno 12] Cannot allocate memory

This issue is fixed in Cumulus Linux 3.7.7.


RN-1424 (CM-24838)
On the Dell N3048EP-ON switch, the poectl port numbering in JSON is off by one

The poectl -j command output does not show the correct port numbering in JSON; it is off by one.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1426 (CM-24770)
On the Dell S4048-ON switch with BIOS 3.21.0.0-6, various reboot, shutdown, and init commands hang the switch

After upgrading the BIOS to 3.21.0.0-6, when you run the reboot, shutdown or init commands with certain options, the switch powers off. To determine the BIOS version of the switch, run:

cumulus@switch:~$ sudo dmidecode -s system-version
3.21.0.0-6

This issue is fixed in Cumulus Linux 3.7.7.


RN-1434 (CM-25103)
Received EVPN type-5 routes are not programmed in the kernel VRF routing table

Received EVPN type-5 routes are not installed into the kernel VRF routing table even though the route appears to be correct. The failure to install the default route makes the rack unreachable from the external world.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1435 (CM-24933)
Stale EVPN routes present after IP mobility

In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1437 (CM-25208)
SNMP reports 0 for ifSpeed on swp interfaces

SNMP shows 0 for all swp interfaces in the ifSpeed field (bond interfaces, lo and eth0 are not affected and show a value).

This issue is fixed in Cumulus Linux 3.7.7.


RN-1438 (CM-24829)
The RADIUS AAA client does source IP address bind and setsockopt VRF in reverse order

The RADIUS AAA client does the source IP address bind first, then the setsockopt VRF, which causes a failure due to a kernel check for an address mismatch with the VRF.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1443 (CM-25033)
OVSDB gets FQDN hostname instead of the short hostname

The vtep-ctl list-ports <physical-switch-name> returns ports with the fully qualified domain name of the switch instead of the short hostname.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1444 (CM-25167)
The clear bgp command does not honor address-family and just clears ipv6 unicast

The clear bgp command does not support multiple address families. For example, the following command clears IPv6 unicast and ignores IPv4 unicast:

cumulus@switch:~$  clear bgp l2vpn evpn

To clear IPv4 unicast, use the clear ip bgp command. For example, the following command clears IPv4 unicast and ignores IPv6 unicast:

cumulus@switch:~$  clear ip bgp l2vpn evpn

This issue is fixed in Cumulus Linux 3.7.7.


RN-1445 (CM-25141)
TACACS-authenticated users cannot use net commands even though mapped TACACs users are in the netedit and/or netshow groups

A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1449 (CM-25030)
MLAG processing of VXLAN state synchronization might result in a hardware programming error

Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.

To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.

Note: This workaround is not guaranteed because the race condition cannot be always be avoided.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1455 (CM-24858)
On Broadcom switches,TPID programming is not reset on a configuration change

On the Broadcom switch, TPID programming is not reset when there is a configuration change. As a result, you see unexpected packet drops.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1456 (CM-24895)
On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD

On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1457 (CM-25117)
BGP routes stop advertising after 128 VRFs

If you have a configuration with more than 128 VRFs, BGP routes stop advertising.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1459 (CM-25137)
watchfrr times out and bgpd becomes unresponsive after a convergence event in a highly scaled environment

In a highly-scaled environment, while BGP is undergoing initial convergence, watchfrr times out and bgpd stops responding.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1460 (CM-25325)
Debian Security Advisory DSA-4462-1 for dbus CVE-2019-12749 (part of systemd)

The following CVEs were announced in Debian Security Advisory DSA-4462-1 and affect the dbus package.

This issue is fixed in Cumulus Linux 3.7.7.

----------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4462-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 13, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------------------

Package : dbus

CVE ID : CVE-2019-12749

Debian Bug : 930375

Joe Vennix discovered an authentication bypass vulnerability in dbus, an asynchronous inter-process communication system. The implementation of the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a symbolic link attack. A local attacker could take advantage of this flaw to bypass authentication and connect to a DBusServer with elevated privileges.

The standard system and session dbus-daemons in their default configuration are not affected by this vulnerability.

The vulnerability was addressed by upgrading dbus to a new upstream version 1.10.28 which includes additional fixes.

For the stable distribution (stretch), this problem has been fixed in version 1.10.28-0+deb9u1.

We recommend that you upgrade your dbus packages.

For the detailed security status of dbus, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/dbus


RN-1461 (CM-24975)
Debian Security Advisory DSA-4442-1 for ghostscript CVE-2019-3839

The following CVEs were announced in Debian Security Advisory DSA-4442-1 and affect the ghostscript package.

This issue is fixed in Cumulus Linux 3.7.7.

----------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4442-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 12, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------------------

Package : ghostscript

CVE ID : CVE-2019-3839

A vulnerability was discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed (despite the - -dSAFER sandbox being enabled).

For the stable distribution (stretch), this problem has been fixed in version 9.26a~dfsg-0+deb9u3.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript


RN-1462 (CM-24925)
Debian Security Advisory DSA-4438-1 for atftp CVE-2019-11365 CVE-2019-11366

The following CVEs were announced in Debian Security Advisory DSA-4438-1 and affect the atftp package.

This issue is fixed in Cumulus Linux 3.7.7.

----------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4438-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 07, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------------------

Package: atftp

CVE ID: CVE-2019-11365 CVE-2019-11366

Debian Bug: 927553

Denis Andzakovic discovered two vulnerabilities in atftp, the advanced TFTP server which could result in denial of service by sending malformed packets.

For the stable distribution (stretch), these problems have been fixed in version 0.7.git20120829-3.1~deb9u1.

We recommend that you upgrade your atftp packages.

For the detailed security status of atftp please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/atftp


RN-1463 (CM-25106)
On the Dell N3048EP switch, the I2C bus might stick

On the Dell N3048EP switch, the I2C bus might lock and when you log into the console, you see the following message.

bcm-iproc-i2c 1803b000.i2c: bus is busy

As a result, temperatures cannot be monitored. However, traffic is not affected (links do not go down).

This issue is fixed in Cumulus Linux 3.7.7.


RN-1473 (CM-24712)
On the EdgeCore AS4610-54P switch, you see the log message Unhandled Exception : Traceback (most recent call last):#012

On the EdgeCore AS4610-54P switch, at any moment and without warning, your PoE devices might all go down as PoEd crashes and an error message might be logged. There is no functional impact after a restart.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1477 (CM-25415)
On Broadcom Trident3 switches, VXLAN packets (tenant traffic flows) are not transmitted on the peer link sub-interface (peerlink.4094)

In a typical CLOS network, each leaf is connected to all spine nodes; VXLAN packets follow leaf-spine links. However certain failure scenarios or maintenance activity might result in the MLAG primary switch being isolated from the spine layer (the only available network path is now across the peer link). As a result, the MLAG primary switch fails to transmit VXLAN encapsulated packets out on the peer link. It is also possible for the MLAG secondary switch to be isolated from the spine layer and then the problem is seen on the MLAG secondary switch.

The issue occurs because the Broadcom Trident3 switch does not perform VLAN translation for VXLAN encapsulated packets where the tunnel is not terminated.

To work around this issue, configure the BGP peering on a new VLAN interface (for example, vlan4093) instead of the peer link sub-interface (peerlink.4094).

This issue is fixed in Cumulus Linux 3.7.7.


RN-1481 (CM-23948)
You can remove the default BGP instance even if there are other instances that depend on it

In FRR, you can remove the default BGP instance even if there are other instances that depend on it, which causes configuration issues.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1482 (CM-23856)
On the QCT QuantaMesh T1048-LY4R, smonctl reports that all PSUs are missing

On the QuantaMesh T1048-LY4R, smonctl reports that all power supplies are absent:

cumulus@switch:~$ smonctl
Fan1      (Fan 1                                 ):  OK
Fan2      (Fan 2                                 ):  OK
Fan3      (Fan 3                                 ):  OK
PSU1                                              :  ABSENT
PSU2                                              :  ABSENT
PSU1Temp1 (PSU1 Temp1                            ):  ABSENT
PSU1Temp2 (PSU1 Temp2                            ):  ABSENT
PSU2Temp1 (PSU2 Temp1                            ):  ABSENT
PSU2Temp2 (PSU2 Temp2                            ):  ABSENT
Temp1     (Core 0                                ):  OK
Temp2     (Core 1                                ):  OK
Temp3     (Ambient Temp 0                        ):  OK
Temp4     (Ambient Temp 1                        ):  OK
Temp5     (Ambient Temp 2                        ):  OK
Temp6     (Ambient Temp 3                        ):  OK
Temp7     (Ambient Temp 4                        ):  OK
Temp8     (CPU Temp                              ):  OK

This issue is fixed in Cumulus Linux 3.7.7.


RN-1483 (CM-23889)
100G-LR4 issue with link establishment over a long distance

On the Mellanox SN2700 switch, the 100G-LR4 port might have problems establishing a link over a long distance (around 500 miles) through a telco service provider after a flap. If the laser is forced up by the link provider's equipment, the circuit comes up. However, the circuit cannot survive a flap and the link remains down after a flap event.

This issue is fixed in Cumulus Linux 3.7.7. However, you might have to explicitly disable auto-negotiation and FEC in this scenario.


RN-1484 (CM-20222)
10G SR interface shows as 25G in the kernel or 40G as 100G

During system boot, Cumulus Linux reads the /etc/cumulus/ports.conf file to obtain the port speed. The port speed is programmed into the ASIC and synchronized to the kernel. After system boot, the kernel speed shows correctly as it matches the ASIC speed that is derived from the /etc/cumulus/ports.conf file and the cable type. However, if you restart switchd without rebooting the system, switchd synchronizes the speed from the kernel and uses it to program the ASIC. When you change the port speed in the /etc/cumulus/ports.conf file to ether a higher or lower speed (for example from 100G to 40G or from 40G to 100G) and the attached cable can support both speeds, the pre-existing speed is synchronized from the kernel. Consequently, the kernel speed remains at the pre-existing (incorrect) speed.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1517 (CM-25860)
There is no NCLU command to change the bridge MTU

If you change the MTU of an SVI, you must also change it on the bridge to match the highest configured MTU. The bridge MTU cannot be less than that of an SVI. However, there is no NCLU command to change the bridge MTU.

This is a known limitation. The note in this section of the user guide provides more information about MTU settings for bridge members.

The following issues were added on October 4, 2019.


RN-1575 (CM-25403)
On the EdgeCore AS7726, switchd startup fails when splitting all 32 ports into 4X

When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog.

This issue is fixed in Cumulus Linux 3.7.7.


RN-1576 (CM-25158)
ifupdown2 does string comparison for MAC addresses

In Cumulus Linux 3.7.6 and earlier, ifupdown2 does a string comparison to see if two addresses are the same. In Cumulus Linux 3.7.7, ifupdown2 does an integer comparison. For example, in Cumulus Linux 3.7.6 and earlier, hwaddress 00:00:5e:62:f8:02 and hwaddress 00:00:5e:62:f8:2 are not considered to be equal. In Cumulus Linux 3.7.7 and later, they are considered equal since 2 implies a leading zero.

This issue is fixed in 3.7.7.


RN-1577 (CM-23748)
A dummy interface does not inherit the MTU from /etc/network/ifupdown2/policy.d files

A dummy interface does not inherit the MTU from a defaults file in /etc/network/ifupdown2/policy.d. A dummy interface is typically used to keep SVI interfaces up when there are no switch ports up that are associated with that VLAN.

This issue is fixed in Cumulus Linux 3.7.7.

New Known Issues in Cumulus Linux 3.7.7

The following issues affect the Cumulus Linux 3.7.7 release.

Release Note ID Summary Description

RN-1490 (CM-25417)
The link-local neighbor entry is not created with IPv4 routes over IPv6 GUA peering, resulting in a forwarding failure

The IP neighbor entry for a link-local next hop (169.254.x.x) is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.

To work around this issue, flap the peering to the peer router (which can be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces.

This is a known issue that is currently being investigated.

The following new issue was added on July 24, 2019.

RN-1493 (CM-25664)
On Trident3 switches, you cannot program more than 50 percent ASIC capacity of ECMP next hops

On the Trident3 platform, you can only add 50 percent of the total ECMP next hops. A log message indicates that the table is full.

This is a known issue that is currently being investigated.

The following new issues were added on July 30, 2019.

RN-1494 (CM-25487)
Debian Security Advisory DSA 4475-1 for openssl CVE-2019-1543

The following CVEs were announced in Debian Security Advisory DSA-4475-1 and affect the openssl package.

There is no fix currently planned for this issue.

----------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4475-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 01, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------------------

Package: openssl

CVE ID: CVE-2019-1543

Joran Dirk Greef discovered that overly long nonces used with ChaCha20-Poly1305 were incorrectly processed and could result in nonce reuse. This doesn't affect OpenSSL-internal uses of ChaCha20-Poly1305 such as TLS.

For the stable distribution (stretch), this problem has been fixed in version 1.1.0k-1~deb9u1. This DSA also upgrades openssl1.0 (which itself is not affected by CVE-2019-1543) to 1.0.2s-1~deb9u1

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openssl


RN-1495 (CM-25801)
Using hostnamectl or the systemd-hostnamed process fills syslog with constant kernel messages, such as unregister_netdevice: waiting for lo to become free. Usage count = 2

When you run the hostnamectl status command or start the systemd-hostnamed process, you see constant unregister_netdevice kernel messages in syslog and on the console. This causes the syslog to become filled with messages and makes troubleshooting difficult.

This is a known issue that is currently being investigated.


RN-1496 (CM-25783)
onie-install stages the installer even if checksum validation fails

Cumulus Linux installer images have a shell script that validates checksum integrity. When you run onie-install, this check is run but the installer is still staged even if the checksum validation fails.

To work around this issue, perform your own checksum validation before staging a new image with onie-install.

This is a known issue that is currently being investigated.


RN-1497 (CM-25766)
On the Dell-N3048EP switch, `apt upgrade` does not work

When you run the apt upgrade command on the Dell-N3048EP switch, the upgrade does not work.

This is a known issue that is currently being investigated.

The following new issue was added on August 9, 2019.

RN-1514 (CM-21354)
Debian Security Advisory DSA-4213-1 for qemu CVE-2017-5715 CVE-2017-15038 CVE-2017-15119 CVE-2017-15124 CVE-2017-15268 CVE-2017-15289 CVE-2017-16845 CVE-2017-17381 CVE-2017-18043 CVE-2018-5683 CVE-2018-7550

The following CVEs were announced in Debian Security Advisory DSA-4213-1 and affect the qemu package.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4213-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 29, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------

Package: qemu

CVE ID: CVE-2017-5715 CVE-2017-15038 CVE-2017-15119 CVE-2017-15124 CVE-2017-15268 CVE-2017-15289 CVE-2017-16845 CVE-2017-17381 CVE-2017-18043 CVE-2018-5683 CVE-2018-7550

Debian Bug: 877890 880832 880836 882136 883399 883625 884806 886532 887392 892041

Several vulnerabilities were discovered in qemu, a fast processor emulator.

CVE-2017-15038

Tuomas Tynkkynen discovered an information leak in 9pfs.

CVE-2017-15119

Eric Blake discovered that the NBD server insufficiently restricts large option requests, resulting in denial of service.

CVE-2017-15124

Daniel Berrange discovered that the integrated VNC server insufficiently restricted memory allocation, which could result in denial of service.

CVE-2017-15268

A memory leak in websockets support may result in denial of service.

CVE-2017-15289

Guoxiang Niu discovered an OOB write in the emulated Cirrus graphics adaptor which could result in denial of service.

CVE-2017-16845

Cyrille Chatras discovered an information leak in PS/2 mouse and keyboard emulation which could be exploited during instance migration.

CVE-2017-17381

Dengzhan Heyuandong Bijunhua and Liweichao discovered that an implementation error in the virtio vring implementation could result in denial of service.

CVE-2017-18043

Eric Blake discovered an integer overflow in an internally used macro which could result in denial of service.

CVE-2018-5683

Jiang Xin and Lin ZheCheng discovered an OOB memory access in the emulated VGA adaptor which could result in denial of service.

CVE-2018-7550

Cyrille Chatras discovered that an OOB memory write when using multiboot could result in the execution of arbitrary code.

This update also backports a number of mitigations against the Spectre v2 vulnerability affecting modern CPUs (CVE-2017-5715). For additional information, refer to https://www.qemu.org/2018/01/04/spectre/

For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u4.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/qemu

The following new issue was added on August 12, 2019.

RN-1518 (CM-25770)
On Tomahawk switches, 40G DACs with auto-negotiation enabled are programmed as 20G KR2 in hardware

On a Tomahawk switch, the 5m 40G DACs (40G CR4) do not come up when both sides have auto-negotiation enabled.

This is a known issue that is currently being investigated.

The following new issue was added on August 27, 2019.

RN-1526 (CM-25488)
On Broadcom swtiches, VXLAN decapsulation routing next-hop is incorrectly programmed after VNI protodown

On Broadcom-based VXLAN routing capable platforms, VXLAN traffic received at the egress VTEP might dropped because the hardware is mis-programming. This issue is related to timing and is not easily reproduced.

This issue might occur after a VXLAN interface (VNI) state transition (the peerlink goes down and puts VNI into a protodown state, then the peerlink comes back and the VNI returns to UP) and is related to how the next-hop information is programmed in hardware. Sometimes the host routes corresponding to this VXLAN segment are mis-programmed with the wrong next hop information.

To work around this issue, restart the switchd service with the sudo systemctl restart switchd.service command.

This is a known issue that is currently being investigated.

The following issues were added on September 11, 2019


RN-1553 (CM-26217)
You cannot configure OSPF NSSAs with NCLU

NCLU does not allow you to configure OSPF NSSAs. For example:

ccumulus@switch:~$ net add ospf area 0.0.0.1 nssa
ERROR: Command not found.

    net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example:

switch# configure terminal
switch(config)# router ospf
switch(config-router)# area 0.0.0.1 nssa

This is a known issue that is currently being investigated.


RN-1554 (CM-26024)
On Mellanox switches, the EVPN underlay does not consistently hash the VXLAN encapsulated TCP flow

On Mellanox switches, the underlay hashes VXLAN packets for a given overlay flow randomly.

To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches.

This is a known issue that is currently being investigated.


RN-1557 (CM-26179)
net show lldp error when utf-8 characters exist in hostnames

If a hostname contains utf-8 characters, the NCLU net show lldp command outputs an error similar to the following:

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128)
See /var/log/netd.log for more details.

This is a known issue that is currently being investigated.

The following new issues were added on October 4, 2019.

RN-1566 (CM-26073)
watchfrr calls sudo /usr/sbin/service frr restart bgpd, which restarts all FRR daemons

watchfrr calls sudo /usr/sbin/service frr restart bgpd but restarts all FRR daemons which can cause a large outage. This occurs because watchfrr uses an old style service command, which causes all daemons to restart when a daemon fails.

This is a known issue that is currently being investigated.


RN-1568 (CM-25979)
Route leaking between default BGP instance and another instance fails after FRR restart

Dynamic route-leaking works as expected until FRR is restarted or the switch is rebooted. After the restart or reboot, the import RT under the VRF where routes are being imported is incorrect.

This is a known issue that is currently being investigated.

Issues Fixed in Cumulus Linux 3.7.6

The following is a list of issues fixed in Cumulus Linux 3.7.6 from earlier versions of Cumulus Linux.

Release Note ID Summary Description

RN-606 (CM-6366)
BGP: MD5 password is not enforced for dynamic neighbors

In testing, it was determined that the MD5 password configured against a BGP listen-range peer-group (used to accept and create dynamic BGP neighbors) is not enforced (connections are accepted from peers that do not specify a password).

This issue is fixed in Cumulus Linux 3.7.6.


RN-760 (CM-18682)
smonctl utility JSON parsing error

There is a parsing error with the smonctl utility. When you choose JSON output, the smonctl utility sometimes crashes. The JSON output is necessary to make the information available through SNMP.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1155 (CM-22755)
In a VXLAN/EVPN environment, packet loss is observed when an unrelated interface goes down

In a VXLAN/EVPN environment, when an unrelated interface either goes down or comes up, traffic traversing through the other underlay interface stops working for about two milliseconds.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1322 (CM-24370)
Incorrect ARP/ND packets when VLAN interface flaps in an EVPN centralized routing configuration

In an EVPN centralized routing deployment, the border leaf sends out incorrect packets when flapping the VLAN interface.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1347 (CM-24315)
SNMP crashes with error Unknown operation 6 in agentx_got_response

The snmpd daemon sometimes crashes with the error Unknown operation 6 in agentx_got_response.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1354 (CM-24502)
Input chain ACL affects forward chain traffic when routed by a VRR IP

When traffic is routed by the VRR IP of an SVI, forward chain traffic is erroneously matched to input chain ACLs.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1371 (CM-24490)
Routes in the non-default VRF are not installed in hardware

Routes configured in the non-default VRF are not installed in hardware. Restarting switchd or rebooting the switch does not resolve the issue.

This issue is fixed in Cumulus Linux 3.7.6. This issue was discovered on the Helix4 switch but applies to all switches.

In Cumulus Linux 3.7.5 and earlier, do not include the string eth in non-management interface names; routes associated with those interfaces might not be installed in hardware.


RN-1372 (CM-24665)
Platform json file not populated properly on the Dell S5048F-ON switch

The platform json file for the Dell S5048-ON switch is improperly populated. This creates an issue when trying to poll the inventory statistics with NetQ.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1381 (CM-24367)
The Celestica SmallstoneXP switch reports an invalid SFF identifier after you migrate to Cumulus Linux from a different NOS

On the Celestica SmallstoneXP switch, the QSFP links do not come up after you migrate to Cumulus Linux from a different network operating system and you see invalid SFF identifier errors similar to the following:

var/log/syslog.1:2019-03-14T20:36:33.394402+00:00 switch01 portwd: 
  Port 23, invalid SFF identifier: 0x00 (repeated 325 times)

This issue is fixed in Cumulus Linux 3.7.6.


RN-1382 (CM-24642)
The EdgeCore 7326-54X switch reports a platform-hw-init error

The EdgeCore 7326-54X switch reports a platform hardware initialization error similar to the following:

2019-04-16T12:29:49.254573+00:00 cumulus platform-hw-init[424]: 
  /etc/hw_init.d/S10sfp_init.sh: 
  line 28: /sys/bus/platform/devices/accton_as7326_56x_cpld.0/sfp_tx_disable:
 Permission denied

The SFP28 module in the port might fail to initialize at startup.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1412 (CM-24573)
The Dell S4148 switch shows both PSUs as PSU1 in sensor output

smonctl shows PSU1 and PSU2; however in the sensors output, both PSUs are listed as PSU1.

This is expected on the Dell S4148 switch. See the Cumulus Linux User Guide.

The following new issues were added on June 18, 2019.


RN-1450 (CM-24694)
On the EdgeCore AS7726 and AS7326 switches, ports are down after reboot

On the EdgeCore AS7726 and AS7326 switches, physical links might stay operationally down (no-carrier) after a reboot. The problem is caused by a hardware initialization script that is not executed properly when the system boots up and is timing related.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1451 (CM-24677)
On the Dell Z9100 switch, multiple sensors show alerts then return to normal state

On the Dell Z9100-ON switch, smond reports various sensors going from OK to BAD or OK to ABSENT; then the sensors recover.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1452 (CM-24396)
switchd crashes due to label route nexthop add

The switchd service crashes when you add a route with a nexhop label.

This issue is fixed in Cumulus Linux 3.7.6.

 


RN-1453 (CM-24968)
Sticky MAC address not removed from FRR after deleted in FDB

If you configure bridge-learning off on a host-facing link in a VXLAN/EVPN environment and are using static FDB entries instead, when you turn bridge-learning on and delete those static entries, they are re-learned as expected in the bridge FDB table, however they are not installed into FRR and a log message is recorded in /var/log/frr/frr.log.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1454 (CM-24275)
SVI loses IP address after running ifreload -a when ifreload_down_changed=1

After adding or removing a VLAN from a VLAN-aware bridge or from a trunk either using the NCLU command or manually editing the /etc/network/interfaces file and running ifreload -a, an SVI bound to a different VLAN loses its IPv4 address defined in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.7.6.


RN-1498 (CM-25739)
Routed traffic is dropped when the bond interface does not have LACP neighbor information with LACP bypass configured

When a layer 3 bond interface is configured with LACP bypass enabled and the directly connected link does not have LACP configured, transit routed traffic is dropped.

Any of the following steps brings the connectivity back:

  • Configure the layer 3 interface on the physical link instead of using a bond
  • Configure the LACP bond on the switch port so that the AS has neighbor LACP information
  • Configure the bond interface as balanced-xor mode instead of LACP

This issue is documented in the user guide.

New Known Issues in Cumulus Linux 3.7.6

The following issues affect the Cumulus Linux 3.7.6 release.

Release Note ID Summary Description

RN-1383 (CM-24803)
The onie-install command does not work on the Dell N3048EP-ON switch

When you execute the following command on the Dell N3048EP-ON, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.

sudo onie-install -fai http://<path to image>
sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image.

This is a known issue that is currently being investigated.


RN-1384 (CM-24805)
Debian Security Advisory DSA-4436-1 for imagemagick CVE-2019-9956 CVE-2019-10650

The following CVEs were announced in Debian Security Advisory DSA-4436-1 and affect the imagemagick packages.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4436-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 28, 2019 https://www.debian.org/security/faq

------------------------------------------------------------------------------------------

This update fixes two vulnerabilities in Imagemagick: Memory handling problems and missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed TIFF or Postscript files are processed.

For the stable distribution (stretch), these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u7.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/imagemagick


RN-1385 (CM-23636)
Debian Security Advisory DSA 4371-1 for apt CVE-2019-3462

The following CVEs were announced in Debian Security Advisory DSA-4436-1 and affect the imagemagick packages.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4371-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

January 22, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Max Justicz discovered a vulnerability in APT, the high level package manager.

The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted
over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT
and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:

apt -o Acquire::http::AllowRedirect=false update

apt -o Acquire::http::AllowRedirect=false upgrade

The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire.

This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:

apt -o Acquire::http::AllowRedirect=false update

apt -o Acquire::http::AllowRedirect=false upgrade

This is known to break some proxies when used against security.debian.org. If that happens, you can switch the security APT source to use deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main.

For the stable distribution (stretch), this problem has been fixed in version 1.4.9.


RN-1386 (CM-24713)
On the Trident3 switch, support for peer link subinterface as the outgoing interface for VXLAN encapsulated traffic is not working

Using the peer link subinterface as the outgoing interface for VXLAN encapsulated traffic does not work on Trident3 switches.

This is a known issue that is currently being investigated.


RN-1387 (CM-24686)
Negative fan speed for PSU2Fan1 on the EdgeCore AS5812-54X

On the EdgeCore AS5812-54X switch, the PSU2 Fan1 fluctuates between OK and LOW. When the fan speed is reported as LOW, the RPM is shown as a negative number.

This is a known issue that is currently being investigated.


RN-1388 (CM-24593)
On the Dell S5248F switch, packets forwarded to the CPU are sometimes corrupted

On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack.

To work around this issue, restart switchd.

This is a known issue that is currently being investigated.


RN-1389 (CM-24663)
The EdgeCore AS7326-54X cannot read the board EEPROM

On the EdgeCore 7326-54X switch, switchd does not start on initial install because the decode-syseeprom command fails. However in ONIE, onie-syseeprom has no issues. This issue is fixed in Cumulus Linux 3.7.7.

This is a known issue that is currently being investigated.


RN-1390 (CM-24645)
Debian Security Advisory DSA-4433-1 for ruby2.3 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325

The following CVEs were announced in Debian Security Advisory DSA-4433-1 and affect the ruby2.3 package.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4433-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 16, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package : ruby2.3

CVE ID : CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323

CVE-2019-8324 CVE-2019-8325

Several vulnerabilities have been discovered in the Rubygems included in the interpreter for the Ruby language, which may result in denial of service or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u6.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ruby2.3


RN-1391 (CM-24644)
Debian Security Advisory DSA-4432-1 for ghostscript CVE-2019-3835 CVE-2019-3838

The following CVEs were announced in Debian Security Advisory DSA-4432-1 and affect the ghostscript package.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4432-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 16, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package : ghostscript

CVE ID : CVE-2019-3835 CVE-2019-3838

Debian Bug : 925256 925257

Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL PostScript/PDF interpreter, which could result in bypass of file system restrictions of the dSAFER sandbox.

For the stable distribution (stretch), these problems have been fixed in version 9.26a~dfsg-0+deb9u2.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript


RN-1392 (CM-24530)
Debian Security Advisory DSA-4428-1 for systemd CVE-2019-3842

The following CVEs were announced in Debian Security Advisory DSA-4428-1 and affect the systemd package.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4428-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 08, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package : systemd

CVE ID : CVE-2019-3842

Jann Horn discovered that the PAM module in systemd insecurely uses the environment and lacks seat verification permitting spoofing an active session to PolicyKit. A remote attacker with SSH access can take advantage of this issue to gain PolicyKit privileges that are normally only granted to clients in an active session on the local console.

For the stable distribution (stretch), this problem has been fixed in version 232-25+deb9u11.

This update includes updates previously scheduled to be released in the stretch 9.9 point release.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/systemd


RN-1393 (CM-24510)
Debian Security Advisory DSA-4425-1 for wget CVE-2019-5953

The following CVEs were announced in Debian Security Advisory DSA-4425-1 and affect the wget package.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4425-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 05, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package : wget

CVE ID : CVE-2019-5953

Debian Bug : 926389

Kusano Kazuhiko discovered a buffer overflow vulnerability in the handling of Internationalized Resource Identifiers (IRI) in wget, a network utility to retrieve files from the web, which could result in the execution of arbitrary code or denial of service when recursively downloading from an untrusted server.

For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u3.

We recommend that you upgrade your wget packages.

For the detailed security status of wget, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/wget


RN-1394 (CM-24357)
Debian Security Advisory DSA-4416-1 for wireshark CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214

The following CVEs were announced in Debian Security Advisory DSA-4416-1 and affect the wireshark package.

-------------------------------------------------------------------------------------------

Debian Security Advisory DSA-4416-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 24, 2019 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------------

Package: wireshark

CVE ID: CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 CVE-2019-9208

CVE-2019-9209 CVE-2019-9214

Debian Bug: 923611

It was discovered that Wireshark, a network traffic analyzer, contained several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE, ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of service.

For the stable distribution (stretch), these problems have been fixed in version 2.6.7-1~deb9u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/wireshark


RN-1395 (CM-24607)
VNI configuration change causes the MLAG peer link to be in STP blocking state

When you commit a configuration change to a VXLAN layer 2 VNI in an MLAG configuration, the peer link on the MLAG secondary switch goes into an STP blocking state.


RN-1396 (CM-24486)
The bridge MDB for a multicast group is not synchronized between a pair of MLAG switches when IGMP fast leave is enabled

When a multicast receiver is dual connected to a pair of switches in an MLAG configuration and the MLAG port on both switches has IGMP fast leave enabled, when the receiver sends out an IGMP leave message, only the switch receiving the IGMP leave message through the MLAG port deletes the MDB entry. The peer switch that receives the IGMP leave message through the peer link does not delete the MDB entry pointing to the MLAG port.

This is a known issue that is currently being investigated.


RN-1397 (CM-24526)
On a Trident3 switch, transit packets larger than 1500 bytes(DF) routed between SVIs are unexpectedly forwarded to the CPU even when the MTU is greater than 9000

On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU.

This is a known issue that is currently being investigated.


RN-1398 (CM-24523)
MLAG bond may fail to inherit the MLAG system MAC, causing one member to be excluded from the MLAG interface

This might be a timing issue, where an MLAG bond might come up and fail to inherit the configured MLAG system MAC address for the LACP identifier. This causes the remote side of the bond to choose one of the bond members and keep the other member down because, without the shared system MAC, each device is trying to bring up the bond using the interface MAC.

It is fairly easy to identify this issue, as the LACP ID does not match the MLAG system MAC.

This is a known issue that is currently being investigated.


RN-1399 (CM-23952)
ifupdown2 user policy overrides do not apply if multiple files reference same module

If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply.

This is a known issue that is currently being investigated.


RN-1400 (CM-24606)
Issuing reload frr to apply BFD timer changes in /etc/frr/frr.conf results in a neighbor flap

If you modify BFD timers in the /etc/frr/frr.conf file, then run the systemctl reload frr command, the neighbor connections flap.

This is a known issue that is currently being investigated.


RN-1404 (CM-24652)
In an EVPN configuration, SVI MAC check is not performed per VLAN so centralized MAC address is not installed on the MLAG pair

In an EVPN environment, the centralized MAC address is not getting installed on the MLAG pair because Cumulus Linux does not perform an SVI MAC check per VLAN.

This issue does not manifest itself in a pure distributed routing (symmetric or asymmetric) environment or in a pure centralized routing environment.

This is a known issue that is currently being investigated.


RN-1405 (CM-24618)
Apostrophe in interface alias causes netd failure

If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:

ERROR: No closing quotation
See /var/log/netd.log for more details.

This is a known issue that is currently being investigated.


RN-1406 (CM-24494)
`rt vpn import' and 'route-target vpn import' missing from 'show run' output for all VRF instances when 'import vpn' command is also configured

When you configure import RTs in BGP manually, they do not appear in the output of the vtysh show run command. The proper RTs are displayed in the output of the show bgp ipv4 unicast route-leak command.

This is a known issue that is currently being investigated.


RN-1407 (CM-24484)
Removing the 'import vrf' statement from a BGP VRF instance without the default BGP instance defined causes bgpd to crash

If you have dynamic route leaking configured between any two VRFs and the BGP instance for the default VRF is not defined, removing an import vrf statement crashes bgpd. This occurs even if neither of the leaking VRFs are the default VRF.

This is a known issue that is currently being investigated.


RN-1410 (CM-24824)
DHCP relay crashes with the -nl flag when the server returns an offer

The dhcrelay service crashes when the DHCP relay packet comes back from the server.

To work around this issue, remove the --nl flag from the dhcrelay service.

This is a known issue that is currently being investigated.


RN-1413 (CM-24544)
clagd-vxlan-anycast-ip not removed until clagd restart

If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts.

This is a known issue that is currently being investigated.


RN-1416 (CM-24799)
On Trident2 switches, control plane traffic received on an 802.1AD interface with 802.1Q encapsulation is dropped

On switches using the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces are dropped. This issue only affects QinQ configurations.

This is a known issue that is currently being investigated.


RN-1419 (CM-19052)
Cumulus VX 3.4.3 and later bundles netq-agent, but CL 3.4.3 and later does not

The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later.

The NetQ agent will be bundled with Cumulus Linux in a future release.


RN-1421 (CM-22311)
In an EVPN configuration, you see a `switchd` error when the bridge goes down

When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error:

2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: 
  hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7)
2018-09-06T20:38:20.686105+00:00 dell-s6010-01 switchd[5445]: 
  hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 223 mac: 00:00:5e:00:01:01 (-7)
2018-09-06T20:38:20.773581+00:00 dell-s6010-01 switchd[5445]: 
  hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 112 mac: 00:00:5e:00:01:01 (-7)
2018-09-06T20:38:20.776986+00:00 dell-s6010-01 switchd[5445]: 
  hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 111 mac: 00:00:5e:00:01:01 (-7)

This is a known issue that is currently being investigated.


RN-1424 (CM-24838)
On the Dell N3048EP-ON switch, the poectl port numbering in JSON is off by one

The poectl -j command output does not show the correct port numbering in JSON; it is off by one.

This is a known issue that is currently being investigated.


RN-1426 (CM-24770)
On the Dell S4048-ON switch with BIOS 3.21.0.0-6, various reboot, shutdown, and init commands hang the switch

After upgrading the BIOS to 3.21.0.0-6 on the Dell S4048-ON switch, when you run the reboot, shutdown or init commands with certain options, the switch powers off. To determine the BIOS version of the switch, run:

cumulus@switch:~$ sudo dmidecode -s system-version
3.21.0.0-6

This is a known issue that is currently being investigated.


RN-1439 (CM-25298)
Debian Security Advisory for vim modelines CVE-2019-12735

The following CVEs were announced in a Debian Security Advisory that affects vim modelines.
-------------------------------------------------------------------------------------------------------
Package: vim and neovim

CVE ID: CVE-2019-12735

Debian Bugs: 930020, 930024

-------------------------------------------------------------------------------------------------------

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.

For the detailed security status, refer to the security tracker page at:
https://security-tracker.debian.org/tracker/CVE-2019-12735
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12735.html
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

Cumulus Networks recommends that you disable modelines in the the vimrc file (set nomodeline) to use the securemodelines plugin or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines.

To check if you have modelines enabled, open vim and enter:

:set modeline?

If vim returns nomodeline, you are not vulnerable. If you are vulnerable or you want to ensure your security with this issue, add these lines to your vimrc file:

set modelines=0
set nomodeline

modeline is enabled by default.

Verify that you do not have any existing lines in .vimrc that set modelines or modeline.


RN-1440
ifquery file syntax check does not return non-zero on failure

The ifquery command should return a non-zero value if there is a syntax error. However, it currently returns zero. This issue affects automation scripts that validate a file before copying it into place.

This is a known issue that is currently being investigated.


RN-1441 (CM-25284)
The clagd service fails silently when you run ifreload -a if the sys-mac leading zero is not included

If you configure a sys-mac with a single digit, ifreload -a does not indicate that the MAC address is invalid for the MLAG sys-mac and the clagd process fails silently.

This is a known issue that is currently being investigated.


RN-1442 (CM-25240)
ifreload -a detects a mismatch on address-virtual if the leading zero is not included

If the address-virtual MAC address is missing a leading zero in the last octet, the interface bounces.

This is a known issue that is currently being investigated.


RN-1443 (CM-25033)
OVSDB gets FQDN hostname instead of the short hostname

The vtep-ctl list-ports <physical-switch-name> returns ports with the fully qualified domain name of the switch instead of the short hostname.

This is a known issue that is currently being investigated.


RN-1445 (CM-25141)
TACACS-authenticated users cannot use net commands even though mapped TACACs users are in the netedit and/or netshow groups

A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group.

This is a known issue that is currently being investigated.


RN-1448 (CM-25344)
hsflowd fails with IPv6 disabled

If you disable IPv6 on the switch, hsflowd fails to start.

This is a known issue that is currently being investigated.


RN-1449 (CM-25030)
MLAG processing of VXLAN state synchronization might result in a hardware programming error

Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.

To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.

Note: This workaround is not guaranteed because the race condition cannot be always be avoided.

This is a known issue that is currently being investigated.

The following new issues were added on June 19, 2019

RN-1456 (CM-24895)
On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD

On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD.

This is a known issue that is currently being investigated.


RN-1457 (CM-25117)
BGP routes stop advertising after 128 VRFs

If you have a configuration with more than 128 VRFs, BGP routes stop advertising.

This is a known issue that is currently being investigated.


RN-1458 (CM-25358)
ifdownup2 does not remove/bring down the VRR (-v0) interface when issuing link-down on physical SVI

When you configure the link-down yes attribute to a physical SVI, the VRR (-v0) interface is not brought down, and the locally-connected subnet can still be redistributed into routing protocols and advertised to neighbors despite the physical SVI being administratively down.

To work around this issue, manually bring down the VRR (-v0) interface with the ip link set dev command. For example:

cumulus@switch:~$  sudo ip link set dev vlan100-v0 down

This is a known issue that is currently being investigated.


RN-1459 (CM-25137)
watchfrr times out and bgpd is unresponsive after a convergence event in a highly scaled environment

In a highly-scaled environment, while BGP is undergoing initial convergence, watchfrr times out and bgpd stops responding.

This is a known issue that is currently being investigated.


RN-1463 (CM-25106)
On the Dell N3048EP switch, the I2C bus might stick

On the Dell N3048EP switch, the I2C bus might lock and when you log into the console, you see the following message.

bcm-iproc-i2c 1803b000.i2c: bus is busy

As a result, temperatures cannot be monitored. However, traffic is not affected (links do not go down).

This is a known issue that is currently being investigated.


RN-1468 (CM-25343)
Debian Security Advisory DSA-4465-1 for linux kernel CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884

The following CVEs were announced in Debian Security Advisory DSA-4465-1 and affect the linux kernel
-------------------------------------------------------------------------------------------
Debian Security Advisory DSA-4465-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 17, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------------------------
Package: linux
CVE ID: CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884
Debian Bug: 928989
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
CVE-2019-3846, CVE-2019-10126
huangwen reported multiple buffer overflows in the Marvell wifi (mwifiex) driver, which a local user could use to cause denial of service or the execution of arbitrary code.
CVE-2019-5489
Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh discovered that local users could use the mincore() system call to obtain sensitive information from other processes that access the same memory-mapped file.
CVE-2019-9500, CVE-2019-9503
Hugues Anguelkov discovered a buffer overflow and missing access validation in the Broadcom FullMAC wifi driver (brcmfmac), which a attacker on the same wifi network could use to cause denial of service or the execution of arbitrary code.
CVE-2019-11477
Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) allows a remotely triggerable kernel panic.
CVE-2019-11478
Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) will fragment the TCP retransmission queue, allowing an attacker to cause excessive resource usage.
CVE-2019-11479
Jonathan Looney reported that an attacker could force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data, drastically increasing the bandwidth required to deliver the same amount of data.
This update introduces a new sysctl value to control the minimal MSS (net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard-coded value of 48. We recommend raising this to 536 unless you know that your network requires a lower value.
CVE-2019-11486
Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled.
CVE-2019-11599
Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation.
CVE-2019-11815
It was discovered that a use-after-free in the Reliable Datagram Sockets protocol could result in denial of service and potentially privilege escalation. This protocol module (rds) is not auto-loaded on Debian systems, so this issue only affects systems where it is explicitly loaded.
CVE-2019-11833
It was discovered that the ext4 filesystem implementation writes uninitialised data from kernel memory to new extent blocks. A local user able to write to an ext4 filesystem and then read the filesystem image, for example using a removable drive, might be able to use this to obtain sensitive information.
CVE-2019-11884
It was discovered that the Bluetooth HIDP implementation did not ensure that new connection names were null-terminated.
A local user with CAP_NET_ADMIN capability might be able to use this to obtain sensitive information from the kernel stack.
For the stable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u3.
We recommend that you upgrade your linux packages.

For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux

This issue will be fixed in a future release.

The following new issues were added on June 28, 2019.

RN-1469 (CM-25404)
hsflowd unable to set v4 agent address

hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.

This is a known issue that is currently being investigated.


RN-1470 (CM-25400)
Creating an SVI with NCLU does not always add the required stanzas

If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.

This is a known issue that is currently being investigated.


RN-1471 (CM-25397)
NCLU hides the bond bridge TAB complete suggestions

When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.

This is a known issue that is currently being investigated.


RN-1472 (CM-25395)
The NCLU command net del all changes the exec-timeout in /etc/frr/frr.conf

When you run the NCLU net del all command, the exec-timeout setting changes in the /etc/frr.frr.conf file.

This is a known issue that is currently being investigated.


RN-1473 (CM-24712)
On the EdgeCore AS4610-54P switch, you see the log message Unhandled Exception : Traceback (most recent call last):#012

On the EdgeCore AS4610-54P switch, at any moment and without warning, your PoE devices might all go down as PoEd crashes and an error message might be logged. There is no functional impact after a restart.

This is a known issue that is currently being investigated.

The following new issues were added on July 9, 2019.

RN-1474 (CM-25569)
The centralized EVPN gateway MAC address is not refreshed in the network when ARP suppression is enabled on the gateway

In a centralized VXLAN routing topology, the gateway advertises its MAC address to all other VTEPs. If the layer 2 network extends beyond the access layer VTEPs (for example, KVM with a bridge running on the host), the gateway MAC address needs to be refreshed by the end hosts/VMs ARPing for the gateway IP address or the network has to refresh the MAC address using periodic gratuitous ARP.

Currently, Cumulus Linux relies on the centralized gateway to generate gratuitous ARP (neighmgrd). However, if ARP suppression is enabled on the gateway, the gARP is suppressed on VXLAN interfaces. As a result, the gateway MAC might age out in the host bridge scenario and lead to an excessive unknown unicast flood within the host bridge when the VMs send the packet to be routed by the gateway.

To work around this issue and to keep the gateway MAC address refreshed in the network, disable ARP suppression on the centralized gateway.

This is a known issue that is currently being investigated.


RN-1475 (CM-25489)
BGP remove-private-AS replace-AS configuration on a pair of switches might cause a BGP flap due to updates

When BGP remove-private-AS replace-AS is configured under the BGP IPv4 or IPv6 address family between a pair of switches configured as BGP peers, a BGP route update might cause the BGP session to flap.

To work around this issue, do not configure remove-private-AS replace-AS in the BGP IPv4 or IPv6 address family.

This is a known issue that is currently being investigated.


RN-1476 (CM-25447)
An SNMP trap destination in the management VRF results in net unreachable

When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.

To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command.

This is a known issue that is currently being investigated.


RN-1479 (CM-25610)
Under specific circumstances, the mandatory nexthop attribute in the BGP update packet is missing

BGP update packets are sometimes missing the mandatory nexthop attribute, which causes connections to reset. For example, this issue is seen when using VRF route leaking with a mix of BGP unnumbered and BGP numbered peers.

This is a known issue that is currently being investigated.


RN-1480 (CM-25376)
`clagd` prints log messages indicating DumpThreadStacks

When you generate a cl-support file, clagd.service prints log messages similar to the following:

019-03-21T07:18:15.727581+00:00 leaf01 clagd[20912]: 
  DumpThreadStacks - start
2019-03-21T07:18:15.728157+00:00 leaf01 clagd[20912]: 
  #012thread: CollectSysInfo (140608446367488)
2019-03-21T07:18:15.735986+00:00 leaf01 clagd[20912]: 
 file: /usr/lib/python2.7/threading.py, line 783, in __bootstrap
2019-03-21T07:18:15.736585+00:00 leaf01 clagd[20912]: 
  file: /usr/lib/python2.7/threading.py, line 810, in __bootstrap_inner
2019-03-21T07:18:15.737045+00:00 leaf01 clagd[20912]: 
  file: /usr/lib/python2.7/threading.py, line 763, in run
2019-03-21T07:18:15.737933+00:00 leaf01 clagd[20912]:  
 file: /usr/sbin/clagd, line 930, in CollectSysInfoT
2019-03-21T07:18:15.739527+00:00 leaf01 clagd[20912]: 
  file: /usr/sbin/clagd, line 187, in CollectSysInfo
2019-03-21T07:18:15.740540+00:00 leaf01 clagd[20912]:  
 file: /usr/lib/python2.7/threading.py, line 621, in wait
2019-03-21T07:18:15.742293+00:00 leaf01 clagd[20912]:  
 file: /usr/lib/python2.7/dist-packages/clag/clagthread.py, line 48, in wait
.
.
2019-03-21T07:18:16.456061+00:00 leaf01 clagd[20912]: DumpThreadStacks - end

This is a known issue that is currently being investigated.


RN-1486 (CM-25640)
The `dot1x send-eap-request-id` option does not allow for re-authentication

When you configure the switch to send an EAP request with the net add dot1x send-eap-request-id command, the switch ignores re-authentication attempts and does not send back an EAPol.

This is a known issue that is currently being investigated.


RN-1487 (CM-25505)
On reboot, hardware tunnel programming done before software programming causes outage

During the bring-up sequence following a reboot, VXLAN routed packets (tenant traffic flows) transiting an MLAG peer are dropped until the clagd init-delay timer expires.

The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd. To route the tenant traffic flows, the kernel must perform address resolution but has to wait for the clagd init-delay timer to expire before the bonds can forward traffic. During the time when the ARP entry is unresolved, packets are dropped.

During the init-delay period, the ARP cache is not yet populated so the problem exists until either the init-delay timer expires or clagd neighbor synchronization is complete. By default the clagd init-delay timer is set to 10 seconds and clagd neighbor synchronization occurs halfway through the init-delay period. Traffic resumes forwarding after one of the two criteria described above are met.

You might see this issue in EVPN symmetric or centralized configurations with BGP peering over a peer link.

To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result.

In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example:

ip as-path access-list MY_ASN permit ^$ 

route-map peerlink-add-asn permit 10 
 match as-path MY_ASN 
 set as-path prepend 4200000101 
route-map peerlink-add-asn permit 20

This is a known issue that is currently being investigated.


RN-1488 (CM-25623)
The`net add interface link down` command hides the interface in `net show interface` output

When you bring down a link with the NCLU net add interface <interface> link down command, the interface is removed from the output of the net show interface command. This can make it difficult to troubleshoot why the link does not come up.

This is a known issue that is currently being investigated.


RN-1489 (CM-25641)
Traceback in `bmcd` when BMC is non-responsive

If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd, and all the sensors might report ABSENT devices in smonctl.

To work around this issue, power cycle the switch.

This is a known issue that is currently being investigated.


RN-1499 (CM-25683)
NCLU fails to remove the BGP neighbor statement when a VRF exists

NCLU fails to remove the BGP neighbor statement when the BGP unnumbered interface belongs to a VRF. However, if the interface belongs to the default VRF, the BGP neighbor statement is removed.

This is a known issue that is currently being investigated.


RN-1512 (CM-24703)
On the Dell N3048EP-ON switch, `portwd -1 -v` reports 0 ports

The Dell N3048EP-ON switch does not support 1G Base-T modules in the SFP ports.


RN-1520 (CM-25815)
A stale virtual MAC entry causes EVPN route learning issue

When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment , if the /etc/network/interfaces file is replaced with a different file that does not have the SVI and layer 2 VNI configuration anymore, the original virtual MAC does not get populated through the EVPN route until FRR is restarted.

This is a known issue that is currently being investigated.


RN-1525 (CM-25684)
FEC is not reapplied after switchd restart

For interfaces configured with RS FEC, when switchd is restarted, the link goes down but does not automatically come back up. This occurs because the FEC status is not replayed correctly into the kernel.

To work around this issue, run the ifreload -a command to bring up the interface after switchd is restarted.

This is a known issue that is currently being investigated.


RN-1537 (CM-26147)
On the EdgeCore AS4610 switch, the ping command fails unless you use sudo

On the EdgeCore AS4610 switch, the ping command fails unless you run the command with sudo.

To work around this issue, run the following commands:

cumulus@switch:~$  sudo setcap cap_net_raw+ep /usr/share/mgmt-vrf/bin/ping 
cumulus@switch:~$  sudo setcap cap_net_raw+ep /usr/share/mgmt-vrf/bin/ping6 

Run the following command to verify the workaround:

cumulus@switch:~$  getcap /usr/share/mgmt-vrf/bin/ping* 

You should see the following output:

/usr/share/mgmt-vrf/bin/ping = cap_net_raw+ep
/usr/share/mgmt-vrf/bin/ping6 = cap_net_raw+ep 

This is a known issue that is currently being investigated.


RN-1555 (CM-26272)
On a Mellanox Spectrum switch, route withdrawal causes the associated next hop neighbor entry in hardware to be removed

On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU.

The following issue was added on September 13, 2019.

RN-1558 (CM-24440)
bgpd dumps core at zclient_send_interface_radv_req

This issue has to do with how FRRouting checks next hops.

This issue is fixed in Cumulus Linux 3.7.9 and has been pushed upstream to FRRouting.

The following new issues were added on October 4, 2019.

RN-1569 (CM-25674)
On Mellanox switches, policer iptables are not working

On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule.

This is a known issue that is currently being investigated.


RN-1571 (CM-25646)
ifupdown2 does not remove IP address when moving from 'address' line to 'inet dhcp' and issuing 'ifreload -a'

When moving an IP address from the address line to inet dhcp, then issuing the ifreload -a command, the old address is not removed from the interface. NCLU still reports the old address only and reports it as a DHCP address.

This is a known issue that is currently being investigated.


RN-1572 (CM-25432)
snmpd double free memory or corruption crash in free_agent_snmp_session

The snmpd service frequently crashes due to double free or corruption.

This is a known issue that is currently being investigated.

Issues Fixed in Cumulus Linux 3.7.5

The following is a list of issues fixed in Cumulus Linux 3.7.5 from earlier versions of Cumulus Linux.

Release Note ID Summary Description

RN-1353 (CM-24495)
In an EVPN centralized routing configuration, Tomahawk and Tomahawk+ switches drop traffic

Tomahawk or Tomahawk+ switches drop traffic when using EVPN centralized routing.

This issue is fixed in Cumulus Linux 3.7.5.


RN-1355 (CM-23829)
Debian Security Advisory DSA-4387-1 and -2 for openssh CVE-2018-20685 CVE-2019-6109 CVE-2019-6111

The following CVEs were announced in Debian Security Advisory DSA-4387-1 and affect the openssh package.

This issue is fixed in Cumulus Linux 3.7.5.

---------------------------------------------------------------------------------------

Debian Security Advisory DSA-4387-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

February 09, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------------

Package: openssh

CVE ID: CVE-2018-20685 CVE-2019-6109 CVE-2019-6111

Debian Bug: 793412 919101

Harry Sintonen from F-Secure Corporation discovered multiple vulnerabilities in OpenSSH, an implementation of the SSH protocol suite. All the vulnerabilities are in found in the scp client implementing the SCP protocol.

CVE-2018-20685

Due to improper directory name validation, the scp client allows servers tovmodify permissions of the target directory by using empty or dotvdirectory name.

CVE-2019-6109

Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

CVE-2019-6111

Due to scp client insufficient input validation in path names sent by server, a malicious server can do arbitrary file overwrites in target directory. If the recursive (-r) option is provided, the server can also manipulate subdirectories as well.

The check added in this version can lead to regression if the client and the server have differences in wildcard expansion rules. If the server is trusted for that purpose, the check can be disabled with a new -T option to the scp client.

For the stable distribution (stretch), these problems have been fixed in version 1:7.4p1-10+deb9u5.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openssh


RN-1368 (CM-24043)
Debian Security Advisory DSA-4400-1 for openssl CVE-2019-1559

The following CVEs were announced in Debian Security Advisory DSA-4400-1 and affect the openssl package.

This issue is fixed in Cumulus Linux 3.7.5.

---------------------------------------------------------------------------------------

Debian Security Advisory DSA-4400-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 28, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------------

Package : openssl1.0

CVE ID : CVE-2019-1559

Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL.

For the stable distribution (stretch), this problem has been fixed in version 1.0.2r-1~deb9u1.

We recommend that you upgrade your openssl1.0 packages.

For the detailed security status of openssl1.0, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openssl1.0

https://security-tracker.debian.org/tracker/CVE-2019-1559


RN-1369 (CM-24508)
On Broadcom switches, switchd crashes and reports log message: free(): invalid next size (fast): 0x01d51780 ***

When IGMP is enabled on a Broadcom switch, after multiple PIM join and leave messages, switchd crashes and reports log messages similar to the following:

var/log/switchd.log:2019-04-05T03:03:35.563891-05:00 SWITCH1 switchd[1067]: 
  *** Error in `/usr/sbin/switchd': free(): invalid next size (fast): 0x000000000191e4d0 ***
var/log/switchd.log-2019-04-05T03:03:35.564456-05:00 SWITCH1 switchd[1067]: 
  linux-user-bde:new probed device unit 0 dev_no 0 _ndevices 1
var/log/switchd.log-2019-04-05T03:03:35.564855-05:00 SWITCH1 switchd[1067]: 
  DMA pool size: 67108864
var/log/syslog:2019-04-05T03:03:36.046102-05:00 SWITCH1 systemd[1]: 
  heartbeat-failed@switchd.service.service: main process exited, code=exited, status=1/FAILURE

This issue is fixed in Cumulus Linux 3.7.5.


RN-1370 (CM-24603)
Debian Security Advisory DSA-4431-1 for libssh2 CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863

The following CVEs were announced in Debian Security Advisory DSA-4431-1 and affect the libssh2 package.

This issue is fixed in Cumulus Linux 3.7.5.

---------------------------------------------------------------------------------------

Debian Security Advisory DSA-4431-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 13, 2019 https://www.debian.org/security/faq

---------------------------------------------------------------------------------------

Package: libssh2

CVE ID: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858CVE-2019-3859
CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863

Debian Bug: 924965

Chris Coulson discovered several vulnerabilities in libssh2, a SSH2 client-side library, which could result in denial
of service, information leaks or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in version 1.7.0-1+deb9u1.

We recommend that you upgrade your libssh2 packages.

For the detailed security status of libssh2, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libssh2

New Known Issues in Cumulus Linux 3.7.5

The following issues affect the Cumulus Linux 3.7.5 release.

Release Note ID Summary Description

RN-1575 (CM-25403)
On the EdgeCore AS7726, switchd startup fails when splitting all 32 ports into 4X

When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog.

This is a known issue that is currently being investigated


RN-1576 (CM-25158)
ifupdown2 does string comparison for MAC addresses

ifupdown2 does a string comparison to see if two addresses are the same. For example, hwaddress 00:00:5e:62:f8:02 and hwaddress 00:00:5e:62:f8:2 are not considered to be equal.

This is a known issue that is currently being investigated.

Issues Fixed in Cumulus Linux 3.7.4

The following is a list of issues fixed in Cumulus Linux 3.7.4 from earlier versions of Cumulus Linux.

Release Note ID Summary Description

RN-1071 (CM-22345)
Redirected traffic increments the INPUT ACL rule counter but does not perform an action

If a packet to an unknown IP address (but known network) enters the switch and matches an INPUT ACL rule, it is redirected for ARP and the counters increment for that rule, but it does not perform the action. This only happens until the ARP reply is sent, and then the traffic is forwarded properly.

To work around this issue, change the rules to INPUT,FORWARD instead of INPUT. Drops should then be logged properly.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1078 (CM-22157)
On the Tomahawk+ switch, switchd fails on restart after configuring 2x50G in ports.conf

On Tomahawk+ switches, the switchd process is unable to restart after configuring 2x25G in the /etc/cumulus/ports.conf file.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1091 (CM-22466)
Resilient hashing on Broadcom Trident 3 switch not fully supported

Full support for resilient hashing on Broadcom Trident 3 switches is not yet available.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1193 (CM-22951)
Unable to bring up some 10G LR interfaces on Mellanox switches

It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1203 (CM-23535)
Debian Security Advisory DSA-4367-1 for systemd CVE-2018-16865

The following CVEs were announced in Debian Security Advisory DSA-4367-1 and affect the systemd package.

This issue is fixed in Cumulus Linux 3.7.4.

-----------------------------------------------------------------------------------

Debian Security Advisory DSA-4367-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

January 13, 2019 https://www.debian.org/security/faq

-----------------------------------------------------------------------------------

Package: systemd

CVE ID: CVE-2018-16864 CVE-2018-16865 CVE-2018-16866

Debian Bug: 918841 918848

The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws,
via attacker-controlled alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw leading to
an information leak (CVE-2018-16866), could allow an attacker to cause a denial of service or the execution of arbitrary code.

Further details in the Qualys Security Advisory at
https://www.qualys.com/2019/01/09/system-down/system-down.txt

For the stable distribution (stretch), these problems have been fixed in version 232-25+deb9u7.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/system.


RN-1229 (CM-23615)
On the Edgecore AS7816-64X switch, fans might spin at high speed

On the Edgecore AS7816-64X switch, the fans might spin at high speeds even when the temperature is not high.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1231 (CM-23384)
On a Mellanox switch, you cannot disable FEC

You cannot currently disable FEC in Cumulus Linux on a Mellanox switch.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1233 (CM-23298)
On the Dell S4148 switch, switchd fails to restart if link pause is enabled

On the Dell S4148 switch, if link pause is enabled in the /etc/cumulus/datapath/traffic.conf file, switchd fails to restart.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1234 (CM-23115)
Using NCLU to reapply an IPv6 only neighbor causes BGP to flap

When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.

For example, if you run the following commands:

cumulus@switch:~$ net add bgp neighbor swp29 interface remote-as external
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only

Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap.

neighbor swp29 interface v6only remote-as external

This issue does not occur if you add the peer-group command; for example:

cumulus@switch:~$ net add bgp neighbor external peer-group
cumulus@switch:~$ net add bgp neighbor external remote-as external
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only peer-group external

This issue is fixed in Cumulus Linux 3.7.4.


RN-1238 (CM-23280)
On loss of peer link followed by backup IP becoming inactive, the MLAG secondary switch brings bonds up but not VXLAN VNIs

When the peer link is lost and the backup IP address becomes inactive, the MLAG secondary switch brings up bonds but not VXLAN VNIs.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1247 (CM-23649)
In EVPN with duplicate address detection, after a MAC address is frozen, if a remote update is received with a higher sequence number, the offload entry is installed in the bridge FDB

When a MAC address is frozen, if the switch receives an update for that MAC address from a remote VTEP and the remote sequence number of that update is higher than its local sequence number, the switch programs that MAC address in the kernel bridge FDB as an offload entry reachable behind that remote VTEP. This occurs only when the MAC is moving across three or more VTEPs.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1248 (CM-23631)
On the Trident3 switch, not all ping requests match on the ingress ACL rule

On Trident3 switches, not all ping requests match on the ingress ACL rule.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1251 (CM-23701)
cl-acltool fails to install multiple rules as ordered set

ACL install is sensitive to the ordering of the LOG/DROP rules. For example, an ACL policy.d file containing only the following:

-A FORWARD -s 192.0.2.10,192.0.2.11 -j LOG
-A FORWARD -s 192.0.2.10,192.0.2.11 -j DROP

fails to install with the following error message from cl-acltool -i:

error: hw sync failed (Cannot process iptables,FORWARD,78,Rule with LOG must be 
  followed by same rule with DROP)

This happens because cl-acltool internally expands the two rules in the wrong order.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1252 (CM-23700)
cl-acltool does not install LOG rules if the source or destination has multiple comma-separated prefixes

cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as:

-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG 
  --log-prefix "DROP: "
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP

You see errors similar to the following:

error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG 
  must be followed by same rule with DROP)
error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with 
  LOG must be followed by same rule with DROP)

This issue is fixed in Cumulus Linux 3.7.4.


RN-1257 (CM-23586)
Attribute change does not factor into route filtering when injecting into EVPN

EVPN supports a route map to control which routes in the BGP VRF routing table can inject into EVPN as type-5. This is supposed to operate properly on all common criteria handled by BGP route maps. However, when there is an attribute change that results in the route having to be filtered out, it does not remove the route from EVPN if previously obtained from there.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1260 (CM-23747)
The Dell Z9264F and Edgecore AS7816 switches does not support QSFP optical modules broken out to 4x individual interfaces

The Dell Z9264F and Edgecore AS7816 switch does not support QSFP optical modules broken out to 4x individual interfaces.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1261 (CM-23739)
On the Edgecore AS7816 switch, links for ports configured as 4x do not come up

On the Edgecore AS7816 switch, when you configure ports as 4x, the links for the ports do not come up and the port EEPROM cannot be read.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1272 (CM-23726)
Dell S5048F-ON switch experiences PCIe Bus Error

The EEPROM information changed on the Dell S5048F switch, which causes PCIe Bus Errors.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1281 (CM-23789)
SNMPv3 bulkget causes the agent to crash

After upgrading to Cumulus Linux, the SNMP agent crashes when you call snmpbulkget. The SNMP agent will automatically restart and there is no impact to forwarding traffic.

To work around this issue, do not call snmpbulkget where the response packet length is greater than the default maximum message length of 1472.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1291 (CM-24224)
Layer 3 VNI permanent MAC entry in a bridge FDB is sometimes overwritten by offload and sometimes missing

Permanent bridge FDB entries for a layer 3 VNI SVI are sometimes overwritten by an offload entry and sometimes missing.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1296 (CM-24141)
portwd traceback with keyerror while decoding transceiver codes

When an improperly programmed or corrupted module is inserted, the portwd service might crash due to an EEPROM transceiver code decoding problem and cannot be restarted.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1300 (CM-24022)
Incorrect VNI associated with prefix

In an MLAG configuration, some prefixes are correlated with an incorrect VNI, which results in loss of redundant paths in the fabric for these prefixes. To work around this issue, restart FRR or perform a hard boot.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1301 (CM-24001, CM-22157)
On the Tomahawk switch, portwd fails with ports configured to both 50G and 4x25G at the same time

On a Tomahawk switch, if you configure a port as 50G and another port as 4x25G at the same time, the portwd service fails.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1303 (CM-23892)
EVPN next hops are sometimes not removed when the peer goes down

Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1304 (CM-23801)
Traffic destined to the SVI of the MLAG paired switch is forwarded, then dropped

The switch forwards traffic destined to the SVI of the MLAG paired switch, then drops the traffic.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1305 (CM-23790)
Incorrect PMSI label advertised for layer 2 VNI, which creates an interopability issue with Cisco NXOS

When layer 2 VNIs are configured that terminate on Cisco switches at the edge, BUM traffic arriving on the Cisco switch is not being properly VXLAN encapsulated and forwarded to the Cumulus VTEPs.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1306 (CM-23674)
The permanent MAC entry corresponding to the layer 3 VNI's SVI (corresponding VLAN) is missing in the bridge FDB

The permanent MAC entry that corresponds to the SVI of the layer 3 VNI (corresponding VLAN) is missing in the bridge FDB.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1316 (CM-24320)
In an EVPN configuration, incorrect RD is sent after a port flap

The wrong route distinguisher is sent in an EVPN advertisement after a port flap.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1318 (CM-21285)
On Mellanox switches, misconfiguration of bridge-related lines in the /etc/network/interfaces file under a routed switch port discards traffic

If you add a bridge configuration on a routed (BGP unnumbered) switch port on a Mellanox switch, BGP remains up with routes exchanged or sent from the control plane, but packets received on this interface in the data plane are discarded in hardware.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1319 (CM-18989)
OSPF improperly determines LSA recency

OSFP might improperly determine the LSA recency (CVE-2017-3224).

This issue is fixed in 3.7.4.


RN-1320 (CM-23649)
In EVPN, after a MAC freeze, if the remote update is received with a higher sequence number, the offload entry is installed in the bridge FDB

In an EVPN environment, when a MAC address is frozen, if the switch receives an update for that MAC from a remote VTEP and the remote sequence number of that update is higher than its local sequence number, the switch programs that MAC address in the Kernel bridge FDB as an offload entry reachable behind that remote VTEP. This occurs only when the MAC address is moving across three or more VTEPs.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1336 (CM-22572)
Debian Security Issue for the Linux kernel CVE-2018-17182

The following CVEs were announced and affect the Linux kernel:

https://security-tracker.debian.org/tracker/CVE-2018-17182 for debian.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1337 (CM-24093)
Logs do not describe which value failed to parse

Currently, if the BMC firmware encounters a value that it cannot parse, it logs the following message, which provides insufficient data to understand which value failed to parse correctly and how to further investigate the issue.

2012-01-10T20:41:58.694892+09:00 spc-1am09-1-fb02 bmcd: 
  unparsible sensor value "FAULT ALARM"
2012-01-12T07:08:33.694504+09:00 spc-1am09-1-fb02 bmcd: 
  unparsible sensor value "FAULT ALARM"
2012-01-13T17:51:58.695336+09:00 spc-1am09-1-fb02 bmcd: 
  unparsible sensor value "FAULT ALARM"
2012-01-13T19:31:03.692842+09:00 spc-1am09-1-fb02 bmcd: 
  unparsible sensor value "FAULT ALARM" 

This issue is fixed in Cumulus Linux 3.7.4.


RN-1338 (CM-23882)
SNMP entry for HostTableEntries always 0

Both the current and maximum values for the HostTableEntries counter always poll as 0 even when cl-resource-query provides the correct value.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1339 (CM-23847)
10/25g port limit error in syslog not clear

On the platforms that require a port block to be configured as a set of 10G or 25G, if you do not configure the entire set, for example:

1=10G
2=25G
3=25G
4=10G

when you restart switchd, the service restarts and Cumulus Linux logs an error message into /var/log/switchd.log that is not clear.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1340 (CM-23920)
Debian Security Advisory DSA-4393-1 for systemd CVE-2019-6454

The following CVEs were announced in Debian Security Advisory DSA-4393-1 and affect the systemd package.

This issue is fixed in Cumulus Linux 3.7.4.

----------------------------------------------------------------------------------

Debian Security Advisory DSA-4393-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 18, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------

Package : systemd

CVE ID : CVE-2019-6454

Chris Coulson discovered a flaw in systemd leading to denial of service.

An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus.

For the stable distribution (stretch), this problem has been fixed inversion 232-25+deb9u9.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/systemd


RN-1341 (CM-23793)
Debian Security Advisory DSA 4386-1 for curl CVE-2018-16890 CVE-2019-3822 CVE-2019-3823

The following CVEs were announced in Debian Security Advisory DSA-4386-1 and affect the curl package.

This issue is fixed in Cumulus Linux 3.7.4.

----------------------------------------------------------------------------------

Debian Security Advisory DSA-4386-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

February 06, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------

Package : curl

CVE ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823

Multiple vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-16890

Wenxiang Qian of Tencent Blade Team discovered that the function handling incoming NTLM type-2 messages does not validate incoming data correctly and is subject to an integer overflow vulnerability, which could lead to an out-of-bounds buffer read.

CVE-2019-3822

Wenxiang Qian of Tencent Blade Team discovered that the function creating an outgoing NTLM type-3 header is subject to an integer overflow vulnerability, which could lead to an out-of-bounds write.

CVE-2019-3823

Brian Carpenter of Geeknik Labs discovered that the code handling the end-of-response for SMTP is subject to an out-of-bounds heap read.

For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u9.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/curl


RN-1343 (CM-22834)
Some IPv6 BGP peers fail to reestablish after switchd restart

After switchd restarts, certain IPv6 BGP peers fail to reestablish.

This issue is fixed in Cumulus Linux 3.7.4.


RN-1418 (CM-24125)
neighmgrd has high memory usage and crashes

neighmgrd crashes and more than half the neighbor entries are in a FAILED state. Memory and CPU usage is high.

This issue is fixed in Cumulus Linux 3.7.4.

The following issue was added on July 24, 2019:


RN-1317 (CM-23891)
Filesystem timeouts and read-only filesystem on hardware using 3IE3/3IE4/3ME3 SSDs

Some SSD (solid-state disk or flash) drive models — 3IE3, 3IE4 and 3ME3 — commonly used in network switches require the use of the TRIM command to function properly. By default, Cumulus Linux, like most other Linux distributions, does not enable TRIM. This command enables the operating system to keep the firmware up to date on empty areas of the drive to ensure that writes work correctly. Over time, without this notification, when extensive logging or debugging to the SSD is enabled, the firmware may take longer to perform write operations, which can in turn cause driver timeouts. These disk errors may eventually lead to the filesystem being mounted as read-only.

Cumulus Linux now detects drives that require TRIM and enables the discard option when creating the /etc/fstab file during the installation of the network operating system. The /etc/fstab file was also updated to enable the discard option when running apt-get upgrade to upgrade to Cumulus Linux 3.7.4 or later.

Cumulus Networks initially acknowledged this issue in this product bulletin.

This issue is fixed in Cumulus Linux 3.7.4.

New Known Issues in Cumulus Linux 3.7.4

The following issues affect the Cumulus Linux 3.7.4 release.

Release Note ID Summary Description

RN-1321 (CM-24321)
VRF route leaking in an EVPN configuration fails to forward packets to the connected source/destination when leaking between the default VRF and other VRFs

In an EVPN configuration, packets are not forwarded to the connected source or destination when routes are being leaked between the default VRF and other VRF.

This is a known issue that is currently being investigated.


RN-1325 (CM-24318)
On the Broadcom Trident2+ switch, internal VLAN tag imposed on VXLAN-encapped traffic when the ingress and egress routed ports are the same

On the Broadcom Trident2+ switch, the internal VLAN tag is imposed on VXLAN-encapped traffic when the ingress and egress routed ports are the same.

This is a known issue that is currently being investigated.


RN-1326 (CM-24272)
Unable to configure VRRP priority and advertisement-interval with NCLU on traditional bridges

When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.

To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:

cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface br0.100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# vrrp 1 advertisement-interval  
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

This is a known issue that is currently being investigated.


RN-1327 (CM-24271)
Unable to change the VRRP priority with NCLU on SVIs (vlan-aware bridges)

On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.

To work around this issue, run the vtysh command inside FRR to change the default priority. For example:

cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface vlan100 
switch(config-if)# vrrp 1 priority 110
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

This is a known issue that is currently being investigated.


RN-1328 (CM-24270)
Unable to change VRRP version, preempt mode, or accept mode from default values

Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU.

To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:

cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface swp4 
switch(config-if)# vrrp 1 version 2
switch(config-if)# no vrrp 1 preempt 
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

This is a known issue that is currently being investigated.


RN-1329 (CM-24255)
MDA: Interface specific configuration changes fail if the port is already authorized

The net commit command fails when you try to add a static voice VLAN or delete dot1x configuration for an interface when the port is already authorized.

This is a known issue that is currently being investigated.


RN-1349 (CM-24435)
'match interface' in the NCLU route map command allows glob syntax even though FRR route-map only allows a single 'match interface' statement per clause

When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.

For example, this command is incorrect:

net add routing route-map Proxy-ARP permit 25 match interface swp9-10 

These commands are correct:

net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

This is a known issue that is currently being investigated.


RN-1350 (CM-24426)
NCLU tab completion only shows for the net add vrf command

NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf <name> command just displays <ENTER>. For example:

cumulus@switch:~$ net add vrf mgmt 
    <ENTER>

Tab completion for the net add vrf <name> ip address <address> command works correctly.

This is a known issue that is currently being investigated.


RN-1352 (CM-24412)
On Mellanox switches, /usr/lib/cumulus/mlxcmd l2 fdb show timers shows an incorrect aging timer

On a Mellanox switch, /usr/lib/cumulus/mlxcmd l2 fdb show timers shows the age timer as 33 seconds; however, the default is 1800 seconds:

cumulus@switch:~$  sudo /usr/lib/cumulus/mlxcmd l2 fdb show timers
[sudo] password for cumulus: 
Swid    Age Time (sec)
0         33

This is a known issue that is currently being investigated.


RN-1353 (CM-24495)
In an EVPN centralized routing configuration, Tomahawk and Tomahawk+ switches drop traffic

Tomahawk or Tomahawk+ switches drop traffic when using EVPN centralized routing.

This is a known issue that is currently being investigated. Cumulus Networks recommends that you do not upgrade to Cumulus Linux 3.7.4 if you are using EVPN centralized routing on the Tomahawk or Tomahawk+ switch.


RN-1369 (CM-24508)
On Broadcom switches, switchd crashes and reports log message: free(): invalid next size (fast): 0x01d51780 ***

When IGMP snooping is enabled on a Broadcom switch, after multiple PIM join and leave messages are sent, switchd crashes and reports log messages similar to the following:

var/log/switchd.log:2019-04-05T03:03:35.563891-05:00 SWITCH1 switchd[1067]: 
  *** Error in `/usr/sbin/switchd': free(): invalid next size (fast): 0x000000000191e4d0 ***
var/log/switchd.log-2019-04-05T03:03:35.564456-05:00 SWITCH1 switchd[1067]: linux-user-bde:
  new probed device unit 0 dev_no 0 _ndevices 1
var/log/switchd.log-2019-04-05T03:03:35.564855-05:00 SWITCH1 switchd[1067]: DMA pool size: 67108864
var/log/syslog:2019-04-05T03:03:36.046102-05:00 SWITCH1 systemd[1]: 
  heartbeat-failed@switchd.service.service: main process exited, code=exited, status=1/FAILURE

This is a known issue that is currently being investigated.


RN-1438 (CM-24829)
The RADIUS AAA client does the source IP address bind and setsockopt VRF in reverse order

The RADIUS AAA client does the source IP address bind first, then the setsokopt VRF, which causes a failure due to a kernel check for an address mismatch with the VRF.

This is a known issue that is currently being investigated.


RN-1447 (CM-24894)
BGP maxmium-prefix restart timer value ignored

The maximum-prefix configuration under the IPv4 address family has an optional restart value which you can configure. This configuration is ignored and, instead of restarting the sessions every so many minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.

This is a known issue that is currently being investigated.

Issues Fixed in Cumulus Linux 3.7.3

The following is a list of issues fixed in Cumulus Linux 3.7.3 from earlier versions of Cumulus Linux.

Release Note ID Summary Description

RN-885 (CM-20530)
NCLU 'net show interface' command shows NotConfigured for unnumbered interfaces

When an interface is configured for OSPF/BGP unnumbered, the net show interface command shows NotConfigured instead of showing that it is unnumbered.

This issue is fixed in Cumulus Linux 3.7.3.


RN-900 (CM-20026)
OSPF default-information originate stops working if removed and added in quick succession

When OSPF is originating a default route, and the command is removed from the process, then re-added, the router stops advertising the default route. Configuring the default-information originate command a second time causes it to start working.

This issue is fixed in Cumulus Linux 3.7.3.


RN-998 (CM-21398)
Creating a MGMT ACL with NCLU commands results in a FORWARD entry

If you use NCLU to configure an ACL for eth0, you cannot designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1066 (CM-22290)
With dynamic route leaking, software forwarding of packets fails between connected source and destination

When using dynamic route leaking, software forwarding of packets fails between the connected source and destination.

To work around this issue, configure the leak on a switch that does not have any locally-connected hosts.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1095 (CM-21813)
The NCLU net add and net commit commands edit the interfaces file even when the interface configuration is not changed

The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1101 (CM-22216)
On Mellanox switches, RASH with VXLAN is not moving flows when losing the ECMP path

When RASH is enabled and an ECMP path is taken away using the ip link set <swp> down command, traffic using that ECMP path is never moved to another path and is dropped permanently.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1102 (CM-22121)
On a Mellanox switch configured for ECMP resilient hashing, No more resources errors are seen

This is due to a limitation between Cumulus Linux and the Mellanox hardware. Currently, on a Mellanox switch, Cumulus Linux supports only four ECMP containers with 1000 hash entries per container.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1133 (CM-22590)
NCLU `net show configuration commands` does not show output for an IPv6 rsyslog host

NCLU net show configuration commands does not display any output for IPv6 rsyslog hosts.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1134 (CM-22589)
NCLU net show configuration commands displays a syslog command with invalid syntax

NCLU net show configuration commands displays a net add syslog command with invalid syntax. For example, if you run the following commands:

cumulus@switch:~$  net add syslog host ipv4 10.0.0.1 port udp 514
cumulus@switch:~$  net commit

then run net show configuration commands, the output of the command syntax is invalid.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1142 (CM-22657)
The NCLU net show counters json command fails with an error

When you run the net show counters json command, you see the following error if any value is Unknown:

ERROR: Execution of the command failed. 
"/usr/cumulus/bin/cl-netstat -j" failed. 
Traceback (most recent call last): 
File "/usr/cumulus/bin/cl-netstat", line 292, in <module> 
cnstat_diff_print(cnstat_dict, cnstat_cached_dict, use_json) 
File "/usr/cumulus/bin/cl-netstat", line 135, in cnstat_diff_print 
print table_as_json(table) 
File "/usr/cumulus/bin/cl-netstat", line 62, in table_as_json 
header[3] : int(line[3]), 
ValueError: invalid literal for int() with base 10: 'Unknown'

To work around this issue, run the following command to clear out the semaphore file created by cl-netstat -c:

cumulus@switch:~$  rm /tmp/cl-netstat-$UID/$UID

This issue is fixed in Cumulus Linux 3.7.3.


RN-1146 (CM-22796)
Switch ports previously in MLAG go unexpectedly into protodown on state

Switch ports that are configured as MLAG interfaces, then deleted, go into protodown on state unexpectedly.

To work around this issue, turn off protodown manually with the ip link command:

cumulus@switch:~$ ip link set <interface> protodown off

This issue is fixed in Cumulus Linux 3.7.3.


RN-1165 (CM-22802)
The NCLU bridge pvid command does not add the interface to bridge ports

When you run the net add (bond|interface) <iface> bridge pvid command, NCLU does not add the port as a slave of the VLAN-aware bridge.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1171 (CM-22950)
Debian Security Advisory DSA-4335-1 for nginx issues CVE-2018-16843 CVE-2018-16844 CVE-2018-16845

The following CVEs were announced in Debian Security Advisory DSA-4335-1, and affect the nginx package.

This issue is fixed in Cumulus Linux 3.7.3.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4335-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

November 08, 2018 https://www.debian.org/security/faq

------------------------------------------------------------------------------------------

Package : nginx

CVE ID : CVE-2018-16843 CVE-2018-16844 CVE-2018-16845

Three vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could in denial of service in processing HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in the ngx_http_mp4_module module (used for server-side MP4 streaming).

For the stable distribution (stretch), these problems have been fixed in version 1.10.3-1+deb9u2.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nginx


RN-1185 (CM-23062)
On the Celestica RedstoneV switch, swp14 and swp22 do not work

On the Celestica RedstoneV switch, the hardware settings are incorrect on swp14 and swp22.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1186 (CM-23008)
EVPN type-5 received AS-Path prepend not propagated to IBGP peers

The as-path is not propagating for EVPN type-5 prefixes until forced with a clear.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1190 (CM-22775)
On the Dell S5232F switch, the i2c bus might get stuck

If a pluggable is removed from the Dell S5232F switch during a read transaction, the ocores driver gets stuck and no more i2c transactions are possible on that core.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1197 (CM-23278)
Non-vagrant Cumulus VX images include an unneeded vagrant user

Cumulus VX images for versions 3.7.0 through 3.7.2 include a vagrant user, as the vagrant box format requires it in order to function. This user is not needed; remove the user from the following Cumulus VX images:

  • cumulus-linux-3.7.0-vx-amd64-qemu.qcow2
  • cumulus-linux-3.7.0-vx-amd64-vbox.ova
  • cumulus-linux-3.7.0-vx-amd64-vmware.ova
  • cumulus-linux-3.7.1-vx-amd64-qemu.qcow2
  • cumulus-linux-3.7.1-vx-amd64-vbox.ova
  • cumulus-linux-3.7.1-vx-amd64-vmware.ova
  • cumulus-linux-3.7.2-vx-amd64-qemu.qcow2
  • cumulus-linux-3.7.2-vx-amd64-vbox.ova
  • cumulus-linux-3.7.2-vx-amd64-vmware.ova

To remove the vagrant user, run:

cumulus@switch:~$ sudo userdel [-r] vagrant

This issue is fixed in Cumulus VX 3.7.3


RN-1204 (CM-23463)
OVSDB `grep` logs spam the /var/log/openvswitch/ovs-vtepd.log file

Log entries containing grep commands almost completely fill the var/log/openvswitch/ovs-vtepd.log file.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1205 (CM-23435)
On Trident3 switches, the 25G BASE-LR optics interface_mode is not set automatically

On Trident3 switches, the LR interface_mode for 25G optics is not set automatically.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1206 (CM-23399)
Debian Security Advisory DSA-4360-1 for libarchive CVE-2016-10209 CVE-2016-10349 CVE-2016-10350 CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 CVE-2018-1000877 CVE-2018-1000878 CVE-2018-1000880

The following CVEs were announced in Debian Security Advisory DSA-4360-1, and affect the libarchive package.

This issue is fixed in Cumulus Linux 3.7.3.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4360-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 27, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------

Package: libarchive

CVE ID: CVE-2016-10209 CVE-2016-10349 CVE-2016-10350 CVE-2017-14166
CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 CVE-2018-1000877
CVE-2018-1000878 CVE-2018-1000880

Multiple security issues were found in libarchive, a multi-format archive and compression library: Processing malformed RAR archives could result in denial of service or the execution of arbitrary code and malformed WARC, LHarc, ISO, Xar or CAB archives could result in denial of service.

For the stable distribution (stretch), these problems have been fixed inversion 3.2.2-2+deb9u1.

We recommend that you upgrade your libarchive packages.

For the detailed security status of libarchive, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libarchive


RN-1207 (CM-23355)
On the Delta AG7648 switch, `portwd sfp_tx_enable` flags should be set to low

Many of the SFPs are not enabled until SFP_TX_ENABLE is set manually.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1208 (CM-23350)
PTMD shows the interface as pass when the link is down

If an interface is correctly configured according to the /etc/ptm.d/topology.dot file (pass), then the link goes down, ptmd still shows the cbl status as pass.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1209 (CM-23321)
In an EVPN asymmetric type 5 deployment, the EVPN arp-cache of the remote leaf's SVI is incorrect on the local leaf

In an EVPN asymmetric type 5 deployment, the EVPN arp-cache of the SVI on the remote leaf is incorrect on the local leaf, which causes a ping failure from the SVI on the remote leaf to the server attached on the local leaf in the same VLAN.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1210 (CM-23310)
KVM support for clock synchronization is missing in the Telemetry Server kernel

The kvm-clock module is missing in the kernel on the telemetry server. The system clock only advances one second for approximately every ten real-time seconds that pass. This stops NTP from being able to synchronize the clock.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1211 (CM-23294)
The MLAG state is inconsistent with mstpd

Both switches in an MLAG configuration show the correct MLAG role status; however mstpd shows that both switches are in the MLAG primary role, which causes constant STP recalculation, shows the peer link as the STP backup port role, and traffic as being blocked.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1212 (CM-23293)
VRF route deletion by frr.conf fails with FRR reload

If you add a route for a VRF with the ip route command, which writes to the /etc/frr/frr.conf file and then you reload frr, when you try to remove the route from the file, the route is not removed when frr reloads.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1213 (CM-23266)
Certain commands cause a traceback if the /etc/hostapd.conf file does not exist

When the /etc/hostapd.conf file does not exist, the following sequence of commands causes a traceback:

cumulus@switch:~$ net add interface swp1 link down
cumulus@switch:~$ net pending
cumulus@switch:~$ net commit
cumulus@switch:~$ net del interface swp1 link down

To work around this issue:

  1. Create the /etc/hostapd.conf file with the following default contents:
    eap_server=0 
    ieee8021x=1 
    driver=wired 
    interfaces= 
    mab_interfaces= 
    parking_vlan_interfaces= 
    parking_vlan_id= 
    mab_activation_delay=30 
    eap_reauth_period=0 
    eap_send_identity=0 
    ctrl_interface=/var/run/hostapd 
    nas_identifier=localhost 
    auth_server_addr= 
    auth_server_port=1812 
    auth_server_shared_secret= 
    acct_server_addr= 
    acct_server_port=1813 
    acct_server_shared_secret= 
    
  2. Issue the following commands to set the ownership and permissions:
    sudo chown root.root /etc/hostapd.conf 
    sudo chmod 600 /etc/hostapd.conf 
    

    This issue is fixed in Cumulus Linux 3.7.3.


RN-1214 (CM-23263)
In an EVPN configuration, the route map fails to filter type-5 routes

After upgrading to Cumulus Linux 3.7.2, the BGP route map does not filter type-5 routes.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1215 (CM-23203)
ACL matching 0.0.0.0 now interpreted as a single host 0.0.0.0/32

In Cumulus Linux 3.7.2 and earlier, an ACL entry containing 0.0.0.0 as a match parameter is interpreted as a catchall address (0.0.0.0 = 0.0.0.0/0). However in Cumulus Linux 3.7.3 and later, an ACL entry containing 0.0.0.0 as a match parameter is interpreted as a single address (0.0.0.0 = 0.0.0.0/32).

Review your current ACLs and update as necessary to include the proper subnet mask.


RN-1217 (CM-23126)
Debian Security Advisory DSA-4349-1 for libtiff5 (tiff) CVE-2017-11613 CVE-2017-17095 CVE-2018-5784 CVE-2018-7456 CVE-2018-8905 CVE-2018-10963 CVE-2018-17101 CVE-2018-18557 CVE-2018-15209 CVE-2018-16335

The following CVEs were announced in Debian Security Advisory DSA-4349-1, and affect the libtiff5 package.

This issue is fixed in Cumulus Linux 3.7.3.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4349-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

November 30, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------

Package: libtiff5

CVE ID: CVE-2017-11613 CVE-2017-17095 CVE-2018-5784 CVE-2018-7456
CVE-2018-8905 CVE-2018-10963 CVE-2018-17101 CVE-2018-18557
CVE-2018-15209 CVE-2018-16335

Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.

For the stable distribution (stretch), these problems have been fixed in version 4.0.8-2+deb9u4.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/tiff


RN-1218 (CM-22974)
Debian Security Advisory DSA-4338-1 for qemu CVE-2018-10839 CVE-2018-17962 CVE-2018-17963

The following CVEs were announced in Debian Security Advisory DSA-4338-1, and affect the qemu package.

This issue is fixed in Cumulus Linux 3.7.3.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4338-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

November 11, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------

Package: qemu

CVE ID: CVE-2018-10839 CVE-2018-17962 CVE-2018-17963

Debian Bug: 908682 910431 911468 911469

Integer overflows in the processing of packets in network cards emulated by QEMU, a fast processor emulator, could result in denial of service.

In addition this update backports support to passthrough the new CPU features added in the intel-microcode update shipped in DSA 4273 to x86-based guests.

For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u5.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/qemu

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/


RN-1226 (CM-23148)
mlxfirmware upgrade fails at boot

When booting the switch, the mlxfirmware upgrade fails because a call is made to a file that does not yet exist (the firmware information is not available). This upgrade failure prevents sx_sdk.service and switchd from starting. The switch boots but does not forward any traffic, causing a major outage.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1227 (CM-23135)
When you bring down an virtual interface, then run ifreload -a, the interface comes back up

Running ifdown vlan or ip link set vlan down brings down a virtual interface but the interface always comes back up after you run the ifreload -a or net commit command.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1228 (CM-23110)
BGP crashes with `bgp_parse_nexthop_update`

BGP crashes with the error bgp_parse_nexthop_update.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1244 (CM-23441)
clagd permanent MAC sync for SVI related to Layer 3 VNI

Cumulus Linux 3.7.2 introduced clagd synchronization for permanent MAC addresses (MAC address of SVI interfaces). By allowing this permanent address to be synchronized, each MLAG system installs the MAC address over the peer link. While this forwarding entry is programmed, this device cannot properly decapsulate VXLAN packets, which results in these packets being discarded.

To work around this issue, make sure that the VLAN ID (SVI used for the layer 3 VNI) is not part of the bridge in an MLAG configuration. This ensures that traffic tagged with that VLAN ID is not forwarded on the peer link or other trunks.

This issue is fixed in Cumulus Linux 3.7.3, where the clagd system MAC address is used as the hardware address for the layer 3 VNI SVI.


RN-1255 (CM-23656)
`net del all` sets `zebra=yes` in /etc/frr/daemons and can cause ZTP to fail

Adding the net del all command in a ZTP script sets zebra=yes in /etc/frr/daemons. This causes ZTP to fail.

This is expected behavior and is documented in the user guide.


RN-1259 (CM-21346)
`switchd` error log: hal_bcm_l3.c:1364 ERR cannot find if for next hop, BOND

When links are not synchronized before associated routes, switchd shows the following error log:

hal_bcm_l3.c:1364 ERR cannot find if for next hop, BOND: bond 2, 
vlan 100.0 unit 0 nh_unit 0

This issue is fixed in Cumulus Linux 3.7.3.


RN-1263 (CM-23020)
Neighbor entry in FAILED state on centralized gateway does not get resolved and sometimes causes a forwarding failure

When an IP neighbor entry for a host behind an access switch pair is in a FAILED state on a centralized gateway and does not get resolved, a forwarding failure might result.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1264 (CM-22940)
FEC is set when another interface is changed

FEC is set when another interface is changed because ifupdown2 does an invalid compare, then switchd modifies the configuration causing the link to flap.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1267 (CM-21482)
In an EVPN configuration, an incorrect RD/RT is sent after a port flap

The wrong route target/route distinguisher is sent in an EVPN advertisement after a port flap.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1268 (CM-23318)
When you insert a 10G-BaseT SFP module in the Dell S4000 or S4148 switch, `portwd` reports a failed reading

On the Dell S4000 and S4148 switch, when you insert a 10G-BaseT module, portwd reports a failed reading.

This issue is fixed in Cumulus Linux 3.7.3.


RN-1342 (CM-23936)
Traffic increments FORWARD ACL rule counter but does not perform LOG action

Traffic increments the FORWARD ACL rule counter, but nothing is logged to syslog.

This issue is fixed in Cumulus Linux 3.7.3.

The following issue was added on October 4, 2019.

RN-1578 (CM-23565)
EVPN prefixes keep max-med on-startup value after timer expires

EVPN prefixes retain the max-med on startup value after the timer expires.

This issue is fixed in Cumulus Linux 3.7.3.

New Known Issues in Cumulus Linux 3.7.3

The following issues affect the Cumulus Linux 3.7.3 release.

Release Note ID Summary Description

RN-1202 (CM-23398)
Debian Security Advisory DSA 4359-1 for wireshark CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 CVE-2018-19622 CVE-2018-19623 CVE-2018-19624 CVE-2018-19625 CVE-2018-19626 CVE-2018-19627 CVE-2018-19628

The following CVEs were announced in Debian Security Advisory DSA-4359-1 and affect the wireshark package.

-----------------------------------------------------------------------------------

Debian Security Advisory DSA-4359-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 27, 2018 https://www.debian.org/security/faq

----------------------------------------------------------------------------------

Package: wireshark

CVE ID: CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227
CVE-2018-19622 CVE-2018-19623 CVE-2018-19624 CVE-2018-19625 CVE-2018-19626
CVE-2018-19627 CVE-2018-19628

Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer, which could result in denial of service or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in version 2.6.5-1~deb9u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/wireshark

This issue will be fixed in a future version of Cumulus Linux.


RN-1203 (CM-23535)
Debian Security Advisory DSA-4367-1 for systemd CVE-2018-16865

The following CVEs were announced in Debian Security Advisory DSA-4367-1 and affect the systemd package.

-----------------------------------------------------------------------------------

Debian Security Advisory DSA-4367-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

January 13, 2019 https://www.debian.org/security/faq

-----------------------------------------------------------------------------------

Package: systemd

CVE ID: CVE-2018-16864 CVE-2018-16865 CVE-2018-16866

Debian Bug: 918841 918848

The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw leading to an information leak (CVE-2018-16866), could allow an attacker to cause a denial of service or the execution of arbitrary code.

Further details in the Qualys Security Advisory at https://www.qualys.com/2019/01/09/system-down/system-down.txt

For the stable distribution (stretch), these problems have been fixed in version 232-25+deb9u7.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/systemd

This issue will be fixed in a future version of Cumulus Linux.


RN-1219 (CM-23523)
NCLU `show_linux_command = True` does not show linux commands

Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect.

This is a known issue that is currently being investigated.


RN-1220 (CM-23422)
Error reading and writing from module causes module type to change

portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.

This is a known issue that is currently being investigated.


RN-1221 (CM-23418)
`sudo ifdown` does not disable Tx Laser on QSFP+

For Flexoptix modules, the sudo ifdown command does not disable the Tx laser.

This is a known issue that is currently being investigated.


RN-1222 (CM-23417)
Using NCLU to create an IBGP peer link creates EBGP instead of IBGP

When using NCLU to create an ibgp peering across the peerlink, the addition of the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new EBGP neighborship when one has already been configured for IBGP. This is unexpected, the existing IBGP configuration is valid.

This is a known issue that is currently being investigated.


RN-1223 (CM-20966)
LLDP information is missing for a switch port when you run `net show interface`

The NCLU net show lldp and net show interface commands do not show LLDP information for swp* (eth is unaffected).

This is a known issue that is currently being investigated.


RN-1224 (CM-21667)
BGP ttl-security does not get inherited by individual neighbors when applied to peer group

FRR does not add ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.

This is a known issue that is currently being investigated.


RN-1229 (CM-23615)
On the Edgecore AS7816-64X switch, fans might spin at high speed

On the Edgecore AS7816-64X switch, the fans might spin at high speeds even when the temperature is not high.

This is a known issue that is currently being investigated.


RN-1230 (CM-23584)
NCLU programs control plane ACL in FORWARD chain

When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.

This is a known issue that is currently being investigated.


RN-1231 (CM-23384)
On a Mellanox switch, you cannot disable FEC

You cannot currently disable FEC in Cumulus Linux on a Mellanox switch.

This is a known issue that is currently being investigated.


RN-1233 (CM-23298)
On the Dell S4148 switch, `switchd` fails to restart if link pause is enabled

On the Dell S4148 switch, if link pause is enabled in the /etc/cumulus/datapath/traffic.conf file, switchd fails to restart.

This is a known issue that is currently being investigated.


RN-1234 (CM-23115)
Using NCLU to reapply an IPv6 only neighbor causes BGP to flap

When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.

For example, if you run the following commands:

cumulus@switch:~$ net add bgp neighbor swp29 interface remote-as external
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only

Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap.

neighbor swp29 interface v6only remote-as external

This issue does not occur if you add the peer-group command; for example:

cumulus@switch:~$ net add bgp neighbor external peer-group
cumulus@switch:~$ net add bgp neighbor external remote-as external
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only peer-group external

This is a known issue that is currently being investigated.


RN-1235 (CM-23116)
ISIS traffic is forwarded to the CPU and is not forwarded on the bridge

Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped.

To work around this issue, contact Customer Support.

This is a known issue that is currently being investigated.


RN-1236 (CM-23123)
FEC settings are persistent after being removed from the configuration

When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.

This is a known issue that is currently being investigated.


RN-1237 (CM-23202)
BGP neighbor is up but missing and fails to apply route maps

When the Cumulus Linux switch has a BGP neighbor to a host running FRR 5.0, if the host FRR syslog is set to debugging and FRR is restarted, the BGP neighbor comes up according to the frr.log but on the switch, the BGP neighbor does not show in the show ip bgp vrf all summary command output (and other neighbor command output). Routes from the host appear fine, but the route map fails to get applied.

To work around this issue, either run FRR 6.0 on host or avoid running debug logging.

This is a known issue that is currently being investigated.


RN-1238 (CM-23280)
MLAG secondary switch brings bonds up but not VXLAN VNIs on loss of peer link followed by backup IP becoming inactive

The MLAG secondary switch brings up bonds but not VXLAN VNIs when the peer link is lost and the backup IP address becomes inactive.

This is a known issue that is currently being investigated.


RN-1239 (CM-23128)
On Mellanox SN2100 switches, eth0 always has a speed of 100Mb on boot

After rebooting the Melllanox SN2100 switch, eth0 always has a speed of 100Mb/s. If you bring the interface down and then back up again, the interface negotiates 1000Mb. This only occurs the first time that the interface comes up.

To work around this issue, either flap the interface or add commands to the /etc/rc.local file so that this occurs on boot automatically.

This is a known issue that is currently being investigated.


RN-1240 (CM-23285)
Moving an interface from a bridge to a VRF in one commit fails to create an IPv6 link-local address

When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically.

To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Second, enslave the interface to the VRF.

This is a known issue that is currently being investigated.


RN-1241 (CM-23397)
On a Broadcom switch, forwarded link-local multicast frames received on access ports are duplicated over VXLAN

On Broadcom switches, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.

This is a known issue that is currently being investigated.


RN-1242 (CM-23423)
VXLAN type-5 route ECMP not working when VTEPs are directly connected

For VXLAN type-5 routes, ECMP does not work when the VTEP is directly connected to remote VTEPs.

To work around this issue, add an additional device in the VXLAN fabric between the local and remote VTEPs, so that local and remote VTEPs are not directly connected.

This is a known issue that is currently being investigated.


RN-1243 (CM-23440)
EVPN type-5 default route advertised with incorrect next hop

In an EVPN symmetric routing deployment with active-active anycast IP configured, the next hop attribute is sometimes set to a unique address instead of the anycast IP address.

To work around this issue, do not use default-originate ipv4; instead configure the network statements (recommended for small scale deployments).

This is a known issue that is currently being investigated.


RN-1245 (CM-23657)
Flapping the VNI with ifdown causes the MTU for an SVI to revert to 1500

When you flap a VNI with ifdown vni and ifup vni, the value of all MTUs for the SVI lowers to 1500 regardless of the default value set in the /etc/network/ifupdown2/policy.d/mtu.json file. This behavior does not occur if you flap the link with ip link set vni down.

This is a known issue that is currently being investigated.


RN-1246 (CM-23651)
In an EVPN symmetric routing configuration, when an MAC/IP address is frozen, the kernel neighbor and routing table information is out-of-sync

In an EVPN symmetric routing configuration, when an IP address is frozen, kernel neighbor table information and kernel VRF routing table information about the frozen IP address might be out-of-sync.

This is a known issue that is currently being investigated.


RN-1247 (CM-23649)
In EVPN with duplicate address detection, after a MAC address is frozen, if a remote update is received with a higher sequence number, the offload entry is installed in bridge fdb

When a MAC address is frozen, if the switch receives an update for that MAC address from a remote VTEP and the remote sequence number of that update is higher than its local sequence number, the switch programs that MAC address in the kernel bridge FDB as an offload entry reachable behind that remote VTEP. This occurs only when the MAC is moving across three or more VTEPs.

This is a known issue that is currently being investigated.


RN-1248 (CM-23631)
On the Trident3 switch, not all ping requests match on the ingress ACL rule

On Trident3 switches, not all ping requests match on the ingress ACL rule.

This is a known issue that is currently being investigated.


RN-1251 (CM-23701)
cl-acltool fails to install multiple rules as ordered set

ACL install is sensitive to the ordering of the LOG/DROP rules. For example, an ACL policy.d file containing only the following:

-A FORWARD -s 192.0.2.10,192.0.2.11 -j LOG
-A FORWARD -s 192.0.2.10,192.0.2.11 -j DROP

fails to install with the following error message from cl-acltool -i:

error: hw sync failed (Cannot process iptables,FORWARD,78,Rule 
with LOG must be followed by same rule with DROP)

This happens because cl-acltool internally expands the two rules in the wrong order.

This is a known issue that is currently being investigated.


RN-1252 (CM-23700)
cl-acltool does not install LOG rules if the source or destination has multiple comma-separated prefixes

cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as:

-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j 
 LOG --log-prefix "DROP: "
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP

You see errors similar to the following:

error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with 
 LOG must be followed by same rule with DROP)
error: hw sync failed (Cannot process ip6tables,FORWARD,30,
 Rule with LOG must be followed by same rule with DROP)

This is a known issue that is currently being investigated.


RN-1253 (CM-23696)
IPv6 unregistered multicast packets flooded despite bridge.optimized_mcast_flood = TRUE

IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file.

This is a known issue that is currently being investigated.


RN-1254 (CM-23665)
NCLU incorrectly programs the layer 3 VNI in an EVPN symmetric routing configuration

NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when using net add vxlan [L3VNI] bridge access [VLAN]

This configuration breaks network connectivity in an MLAG system in an EVPN symmetric routing configuration.

To restore connectivity, you need to remove the VLAN ID from the bridge.

This is a known issue that is currently being investigated.


RN-1256 (CM-23652)
`net show bridge spanning-tree` does not show the MLAG peer link in an STP forwarding instance

The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance:

This is a known issue that is currently being investigated.


RN-1257 (CM-23586)
Attribute change does not factor into route filtering when injecting into EVPN

EVPN supports a route map to control which routes in the BGP VRF routing table can inject into EVPN as type-5. This is supposed to operate properly on all common criteria handled by BGP route maps. However, when there is an attribute change that results in the route having to be filtered out, it does not remove the route from EVPN if previously obtained from there.

This is a known issue that is currently being investigated.


RN-1258 (CM-23709)
ECMP + LACP bond hashing unbalanced over VXLAN

In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced.

This is a known issue that is currently being investigated.


RN-1261 (CM-23739)
On the Edgecore AS7816 switch, links for ports configured as 4x do not come up

On the Edgecore AS7816 switch, when you configure ports as 4x, the links for the ports do not come up and the port EEPROM cannot be read.

This is a known issue that is currently being investigated.


RN-1262 (CM-23438)
In an EVPN configuration, recovery after freeze is not clean in the case of extended mobility

In an EVPN configuration with the freeze duplicate address option enabled, when a duplicate address is detected during extended mobility (the host or VM moves with a change of IP-MAC binding or the IP address of the VM is re-used on a different rack soon after the previous VM is shut down), the local switch does not install the host's MAC and neighbor entries correctly.

To work around this issue, force the remote switch to re-advertise by flapping the MAC FDB entry on that switch for the specific host.

This is a known issue that is currently being investigated.


RN-1270 (CM-23825)
NCLU command `net add interface ptm-enable` adds `no ptm-enable` to the frr.conf file and cannot be removed with the `net del` command

The net add interface <interface> ptm-enable command adds no ptm-enable for that interface in the frr.conf file.

Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.

This is a known issue that is currently being investigated.


RN-1271 (CM-23792)
`ifreload` does not remove the IP peer address

When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file and run the ifreload command, the IP addresses are not removed and the route remains in the route table.

To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev <interface> command.

This is a known issue that is currently being investigated.


RN-1272 (CM-23726)
Dell S5048F-ON switch experiences a PCIe Bus Error

The EEPROM information changed on the Dell S5048F switch, which causes PCIe Bus Errors.

This is a known issue that is currently being investigated.


RN-1291 (CM-24224)
The layer 3 VNI permanent MAC entry in a bridge FDB is sometimes overwritten by offload and sometimes missing

Permanent bridge FDB entries for a layer 3 VNI SVI are sometimes overwritten by an offload entry and are sometimes missing.

This is a known issue that is currently being investigated.


RN-1292 (CM-24222)
An NCLU traceback occurs when LDAP users without NCLU privileges run `net` commands

When an LDAP user that does not have NCLU privileges (either in the netshow, or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.

This is a known issue that is currently being investigated.


RN-1293 (CM-24211)
IP neighbor entries override /32 routes on the switch hardware

IP neighbor entries override /32 BGP routes on the switch hardware, which affects traffic forwarding.

This is a known issue that is currently being investigated.


RN-1295 (CM-24145)
On Trident3 switches in an EVPN Symmetric configuration, VXLAN decapsulated traffic is forwarded on the peer link instead of the access port

On a Trident3 switch running EVPN Symmetric mode, VXLAN decapsulated traffic is forwarded on the peer link, not the access port.

This is a known issue that is currently being investigated.


RN-1296 (CM-24141)
`portwd` traceback occurs while decoding transceiver codes

When an improperly programmed or corrupted module is inserted, the portwd service might crash due to an EEPROM transceiver code decoding problem and cannot be restarted.

This is a known issue that is currently being investigated.


RN-1302 (CM-23934)
Upgrade to 3.7.3 fails for some Dell S4128T switches

Certain Dell S4128T switches fail to restart after a package upgrade (apt-get upgrade) from Cumulus Linux 3.7.2 to 3.7.3. At the end of the upgrade, you see errors similar to the following:

Processing triggers for libc-bin (2.19-18+deb8u10) ...
/sbin/ldconfig.real: /usr/lib/libtriumph2.so.1.0.0 is not an ELF file - 
  it has the wrong magic bytes at the start.
/sbin/ldconfig.real: /usr/lib/libtsvfp.so.1.0.0 is not an ELF file - 
  it has the wrong magic bytes at the start.
/sbin/ldconfig.real: /usr/lib/libsoc_tdm_apache.so.1.0.0 is not an ELF file - 
  it has the wrong magic bytes at the start.
/sbin/ldconfig.real: /usr/lib/libtrident2plus.so.1.0.0 is not an ELF file - 
  it has the wrong magic bytes at the start.
...

This is a known issue that is currently being investigated.


RN-1323 (CM-24332)
On the Broadcom switch, not all traffic is forwarded after moving interface configuration from bridged to routed

On Broadcom switches, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.

This is a known issue that is currently being investigated.


RN-1330 (CM-24262)
NCLU either removes all interface configuration without an `auto` line or recreates interfaces that already exist

NCLU does not honor "auto all" in the /etc/network/interfaces file and removes the existing configuration if no individual auto <iface> lines exist.

This is a known issue that is currently being investigated.


RN-1354 (CM-24502)
Input chain ACL affects forward chain traffic when routed by a VRR IP

When traffic is routed by the VRR IP of an SVI, forward chain traffic is erroneously matched to input chain ACLs.

This is a known issue that is currently being investigated.


RN-1372 (CM-24665)
Platform json file not populated properly on the Dell S5048F-ON switch

The platform json file on the Dell S5048-ON switch is improperly populated. This creates an issue when trying to poll the inventory statistics with NetQ.

This is a known issue that is currently being investigated.


RN-1401 (CM-24762)
On the EdgeCore AS7326 switch, the 1000BASE-T SFP RJ-45 on a 25G port does not work at 1G

On the EdgeCore AS7326 switch, the 1000BASE-T SFP RJ-45 on a 25G port does not work at 1G.

This is a known issue that is currently being investigated.


RN-1402 (CM-24751)
On the QuantaMesh T4048-IX8 switch, the 1000BASE-T SFP RJ-45 on a 25G port does not show LEDs

On the QuantaMesh T4048-IX8 switch, the 1000BASE-T SFP RJ-45 on a 25G port does not show LEDs.

This is a known issue that is currently being investigated.


RN-1403 (CM-24676)
On the Dell S3048 switch, cached FEC shows as BaseR on boot up even though FEC is off

On the Dell S3048 switch, ports with FEC disabled show as BaseR on boot up.

This is a known issue that is currently being investigated.


RN-1446 (CM-24841)
Switch port stuck as protodown after being removed from MLAG bond

After you remove a dual connected bond and a VNI from two connected MLAG pairs, one of the previous bond members on one switch remains in protodown state. To work around this issue, manually remove the protodown flap with the ip link set protodown off command.

This is a known issue that is currently being investigated.

The following new issue was added on July 30, 2019.

RN-1500 (CM-25693)
The NCLU `net del bgp vrf autonomous-system` command does not always delete the configuration

After you issue the NCLU net del bgp vrf <vrf> autonomous-system <AS> command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.

This is a known issue that is currently being investigated.

The following new issue was added on August 12, 2019.

RN-1519 (CM-25824)
NCLU restarts FRR when attempting to remove a BGP VRF instance even if removal is unsuccessful

NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful.

To work around this issue, remove the stanza using vtysh.

This is a known issue that is currently being investigated.

Issues Fixed in Cumulus Linux 3.7.2

The following is a list of issues fixed in Cumulus Linux 3.7.2 from earlier versions of Cumulus Linux.

Release Note ID Summary Description

RN-604 (CM-15959)
ARP suppression does not work well for VXLAN active-active

In some instances, ARP requests are not suppressed in a VXLAN active-active configuration but get flooded over VXLAN tunnels instead. This issue occurs because there is no control plane syncing the snooped local neighbor entries between the MLAG pair; MLAG does not perform this sync and neither does EVPN.

This issue is fixed in Cumulus Linux 3.7.2.


RN-932 (CM-20869)
A bridge loop causes BGP EVPN to install a remote MAC as a local MAC and BGP does not recover automatically

A bridge loop causes frames that arrive through EVPN to be forwarded back to the EVPN bridge. After resolving the forwarding loop, the bridge FDB table recovers, but BGP does not recover automatically. Because the MAC appears to move rapidly, BGP installs the remote MAC as a local entry and advertises it out. Even though the bridge FDB table appears to be correct, bridged traffic destined to the misprogrammed MAC fails.

This issue is fixed in Cumulus Linux 3.7.2.


RN-938 (CM-20979)
Removing a VLAN from a bridge configured with VXLAN results in an outage

Removing a VLAN from a bridge configured with VXLAN causes a network service outage until the configuration change is reverted with the net rollback last command.

To work around this issue, remove the VNI interface first, then remove the unused VLAN from the bridge.

This issue is fixed in Cumulus Linux 3.7.2.


RN-960 (CM-21154)
Deleting an interface with the NCLU command does not remove the interface from the `frr.conf` file

When you use NCLU to delete an interface, the associated configuration is not removed from the /etc/frr/frr.conf file.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1062 (CM-22450)
Input chain ACLs do not apply in hardware on Broadcom platforms

Input chain ACLs do not apply in hardware on Broadcom platforms and input packets are processed against rules in the kernel instead. This can result in rules with the drop action not applying in hardware and the packets reaching the kernel.

This issue is fixed in Cumulus Linux 3.7.2 for platforms that do not provide native support for VXLAN routing (non-RIOT platforms).


RN-1070 (CM-22371)
Improperly directed traffic when there is a change of input interface for PBR on the Spectrum ASIC

When programming policy-based routing (PBR), if you change the input interface from a physical interface to a subinterface, the traffic is not properly redirected. You must flap the nexthop interface to reprogram the PBR.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1075 (CM-21795)
On an Edgecore AS4610 or AS5812 switch, after inserting a 1G LX module or rebooting the switch with the module installed, no traffic is passed on the link if auto-negotiation is enabled

If you insert a 1G LX module into an Edgecore 4610 or 5812 switch or reboot the switch with this module installed, no traffic is passed on the switch port when auto-negotiation is enabled. Flapping the link down or up does not repair it.

To work around this issue, disable auto-negotiation, then re-enable it to repair the link; otherwise, disable auto-negotiation permanently. For example, if swp1 has the 1G module, disable then re-enable auto-negotiation as follows:

cumulus@switch:~$ net add interface swp1 link autoneg off
cumulus@switch:~$ net commit
cumulus@switch:~$ net add interface swp1 link autoneg on
cumulus@switch:~$ net commit

This issue is fixed in Cumulus Linux 3.7.2.


RN-1077 (CM-22274)
Configuration of import and export route targets for VNIs in EVPN differs between layer 2 and layer 3

To ease interoperation with non-Cumulus devices, it is possible to configure the route-target import and export values under the layer 2 VNI EVPN configuration. The same configuration does not work for both layer 2 VNI and layer 3 VNIs. Set the EVPN address-family within the VNI context when configuring the route-target in the layer 2 VNI. Set the EVPN address-family without the VNI context when configuring the route-target in the layer 3 VNI.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1079 (CM-22004)
ARP reply packets are flooded to all remote VTEPs when the packet arrives on a different MLAG peer

ARP reply packets are flooded to all remote VTEPs when the ARP reply arrives on a different MLAG peer than the one where the permanent MAC exits.

To work around this issue:

  1. Manually define the MAC address for the SVI.

    The MAC address allocated to the SVI is inherited by the bridge (by default). The bridge inherits the MAC address from a physical interface (swp*). This inheritance might result in a different SVI MAC address after a reboot (for example, a configuration change might result in the port being removed from the bridge).

    For this example, the MAC address of SVI vlan123 is statically configured as sw01 = MM:MM:MM:11:11:11 and sw02 = MM:MM:MM:22:22:22.

  2. Program a static entry on sw01 pointing to sw02 over the peerlink bond in VLAN 123:
    iface vlan123
        post-up bridge fdb add MM:MM:MM:22:22:22 dev peerlink vlan 123 master static
    
  3. Configure a static MAC address on sw02 pointing to the SVI owned by sw01 over the peerlink bond in VLAN 123:
    iface vlan123
        post-up bridge fdb add MM:MM:MM:11:11:11 dev peerlink vlan 123 master static
    
  4. Repeat steps above for each VLAN.

    This issue is fixed in Cumulus Linux 3.7.2.


RN-1081 (CM-22268)
On Mellanox switches, BFD rules configured in `00control_plane.rules` have no effect

Configuring BFD policies in the 00control_plane.rules file on Mellanox switches has no effect.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1082 (CM-22257)
You can add ports as bridge ports multiple times with NCLU

When you add ports as bridge ports multiple times with the NCLU command, the commits succeed without error.

To work around this issue, remove the extra interfaces with the net del bridge bridge ports <interface> command.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1085 (CM-22237)
NCLU SNMP configuration does not start the SNMP server

When you configure SNMP with NCLU commands, the SNMP server does not restart and you see a warning:

WARNING: snmpd is not running.  Run "journalctl -u snmpd" for error messages.

To work around this issue, start SNMP manually.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1092 (CM-22443)
IEEE 802.1X support for management VRF

Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1096 (CM-22032)
On a Trident 3 switch, cl-ecmpcalc returns a traceback error

On the Trident 3 switch, cl-ecmpcalc returns invalid entries (two entries for MAC address 00:00:00:00:00:00) that cause script failures.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1138 (CM-22484)
On a Mellanox switch, two way ECMP with a /31 mask is not programmed correctly in hardware

On a Mellanox switch, when using an ECMP route over /31 interfaces, incorrect layer 3 neighbor and layer 3 route entries are shown.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1139 (CM-22695)
On a Trident3 switch, EVPN pings to external hosts fail when networking is restarted on an exit spine

When you use a Trident3 switch as the exit node, which is playing the role of the spine, pings to external hosts fail after a systemctl restart networking event.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1143 (CM-22631)
Adding MTU to a VLAN adds `mtu` lines for each bridge port even if they are not defined in /etc/network/interfaces

If you add the MTU to a VLAN with the NCLU net add vlan <vlan> mtu <mtu> command, Cumulus Linux adds extra mtu lines in the /etc/network/interfaces file when there are defined bridge ports that do not exist elsewhere in the file.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1148 (CM-22783)
On the Dell S5248 switch, the `net show system` command shows blank output for the CPU and Chipset values

When you run the NCLU net show system command on the Dell S5248F-ON switch, the output shows blank values for both CPU and Chipset:

cumulus@switch:~$ net show system 
Dellemc S5248F
...

Chipset:
Port Config: 48 x 25G-SFP28 & 4 x 100G-QSFP28 & 2 x 200G-QSFP-DD
CPU:
Uptime: 0:37:19.280000 

This issue is fixed in Cumulus Linux 3.7.2.


RN-1149 (CM-22748)
The `exit-vrf` line is added beneath the `vni` line within the `vrf` stanza in the vtysh configuration

When you have certain options configured (such as PIM, MSDP, or ssmping), exit-vrf is copied beneath the vni line within the vrf stanza in the running vtysh configuration and in the /etc/frr/frr.conf file. This can cause a conflict; for example, if you are running PIM in the same VRF, the vni line is added above the ip pim rp line:

vrf evpn-vrf
 vni 1001
 exit-vrf
 ip pim rp 10.0.0.21 224.0.0.0/4

This issue is fixed in Cumulus Linux 3.7.2.


RN-1154 (CM-22779)
DHCP relay core dumps when using -U and an interface with no IP address

Under certain conditions, DHCP relay produces a segmentation fault when used in an EVPN symmetric environment with the -U option.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1156 (CM-22662)
Debian Security Advisory DSA-4314 for net-snmp issues CVE-2018-18065

The following CVEs were announced in Debian Security Advisory DSA-4314-1 and affect the net-snmp package.

This issue is fixed in Cumulus Linux 3.7.2.

------------------------------------------------------------------

Debian Security Advisory DSA-4314-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 11, 2018 https://www.debian.org/security/faq

------------------------------------------------------------------

Package : net-snmp

CVE ID : CVE-2018-18065

Debian Bug : 910638

Magnus Klaaborg Stubman discovered a NULL pointer dereference bug in net-snmp, a suite of Simple Network Management Protocol applications, allowing a remote, authenticated attacker to crash the snmpd process (causing a denial of service).

For the stable distribution (stretch), this problem has been fixed in version 5.7.3+dfsg-1.7+deb9u1.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/net-snmp

Upstream info and fix are:

https://dumpco.re/blog/net-snmp-5.7.3-remote-dos

https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/


RN-1173 (CM-22917)
The `poed` service is not enabled by default on PoE platforms in Cumulus Linux 3.7

When installing a Cumulus Linux 3.6.1 through 3.7.1 image, the poed service is not enabled by default.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1174 (CM-22734)
IPv6 onlink routes are not being installed in some cases

When installing an IPv6 onlink route, if the kernel has a default route and the gateway resolves out of the default route, the route is rejected if the passed in ifindex does not match. With IPv4, the default route match is ignored and the onlink based route is installed.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1175 (CM-22508)
The `net show system` command on the Facebook Backpack generates a WARNING in netd.log

When you run the net show system command on a Facebook Backpack switch, you see an error in netd.log:

2018-09-21T03:10:20.476355+00:00 cel-bs02-fc1 netd:    INFO:  RXed: 
  user cumulus, command "/usr/bin/net show system"
2018-09-21T03:10:20.559883+00:00 cel-bs02-fc1 netd: WARNING:  
  Could not detect platform information for "cel,bigstone_g_fab1"

This issue is fixed in Cumulus Linux 3.7.2.


RN-1176 (CM-22477)
BFD shares the same TRAP group as bulk IP2ME

On Mellanox switches, BFD packets share the same TRAP group (Trap Group 8) as other bulk IP2ME traffic. If traffic is flooded to the CPU (for example, because of route withdrawal) BFD packets are dropped.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1177 (CM-22459)
NCLU command fails to delete the OSPF message-digest-key from an interface in a VRF

The NCLU net del command fails to remove a message-digest-key from a subinterface in a VRF and displays an error message.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1178 (CM-22410)
Configuring BGP community-list does not enable `bgpd`

If you configure a BGP community list using NCLU, it should set bgpd=yes if it is not already enabled. Communities are only used with BGP. If you try to configure a community (or extcommunity) before enabling bgpd (either by editing the /etc/frr/daemons file or by running other BGP NCLU commands), NCLU accepts the configuration and no warning is reported when committed. However, the configuration is not accepted by FRR.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1179 (CM-22393)
NCLU support for large communities

NCLU currently supports BGP prefix filtering via community and extcommunity, but not large-community, which are common in 4-Byte ASN environments.

This issue is fixed in Cumulus Linux 3.7.2. NCLU now supports large-community.


RN-1180 (CM-22087)
NCLU fails to parse when `link-speed 10` is applied

NCLU does not allow for configuration of link-speed 10 and does not parse any unrelated NCLU configuration when link-speed 10 is detected in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1182 (CM-21856)
VXLAN-encapsulated packets are not forwarded on Mellanox Spectrum switches

On the Mellanox Spectrum switch, VXLAN-encapsulated packets are not being forwarded.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1183 (CM-19714)
The BGP martian next hop table is not updated on an interface IP address change

Configuring an IP address on any local layer 3 interface causes the interface IP address to be placed in the BGP martian next hop table. However, subsequent removal of that address from an interface does not remove it from the BGP martian next hop table.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1184 (CM-17391)
Add support for permanent MAC address sync between MLAG peers

MLAG does not sync permanent MAC addresses between peers and nolearning is turned on; traffic with a next-hop pointing to the peerlink is forwarded to the CPU and throughput is limited.

This issue is fixed in Cumulus Linux 3.7.2. Permanent MAC address sync between MLAG peers is now supported.


RN-1194 (CM-21930)
Mellanox switches prefer RMAC learned over VXLAN instead of the local permanent FDB entry

Mellanox switches prefer a MAC entry learned through the VNI over a permanent entry for the corresponding SVI.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1195 (CM-23131)
MLAG AttributeError: 'NoneType' object has no attribute 'replace'

In an MLAG configuration, you might see the traceback AttributeError: 'NoneType' object has no attribute 'replace'.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1199 (CM-23499)
On Dell S5048F and Z9100 switches, the wrong driver might try to load and fails

On the Dell S5048F and Dell Z9100 switches, the MODULE_DEVICE_TABLE declaration enables the kernel to auto load the drivers on any platform with a Xilinx 7021 device. As a result, these switches might exhibit errors in their dmseg logs when trying to auto load an incompatible driver.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1289 (CM-22996)
New VRF syntax for SNMP `agentaddress`

Due to upstream changes to Net-SNMP patches submitted by Cumulus Networks, the VRF syntax for agentaddress has changed. The VRF is now prepended with a @ instead of a %. For example, 10.10.10.10%mgmt becomes 10.10.10.10@mgmt.

This change occurred in Cumulus Linux 3.7.2.


RN-1290 (CM-24196)
`snmpd` generates a core file when the service is stopped or restarted and the snmpd.conf file contains `trapsess` lines

The snmpd service fails and generates a core file when the service is stopped or restarted and there is a trapsess line configured in the snmpd.conf file.

To work around this issue, comment out the trapsess lines.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1348 (CM-22123)
Security Advisory for wpa/hostapd CVE-2018-14526

The following CVEs affect the hostapd and wpa_supplicant packages.

This issue is fixed in Cumulus Linux 3.7.2.

------------------------------------------------------------------------

https://nvd.nist.gov/vuln/detail/CVE-2018-14526

------------------------------------------------------------------------

Packages:

https://launchpad.net/ubuntu/+source/wpa/2:2.6-15ubuntu2.1

https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.3

https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.6

CVE-2018-14526

wpa_supplicant and hostapd could be made to expose sensitive information if it received a crafted message.

It was discovered that wpa_supplicant and hostapd incorrectly handled certain messages. An attacker could possibly use this to access sensitive information. The problem can be corrected by updating your system to the following package versions:

buntu 18.04 LTS:

hostapd 2:2.6-15ubuntu2.1

wpasupplicant 2:2.6-15ubuntu2.1

Ubuntu 16.04 LTS:

hostapd 2.4-0ubuntu6.3

wpasupplicant 2.4-0ubuntu6.3

Ubuntu 14.04 LTS:

hostapd 2.1-0ubuntu1.6

wpasupplicant 2.1-0ubuntu1.6

After a standard system update you need to reboot your computer to make all the necessary changes.

References: https://usn.ubuntu.com/usn/usn-3745-1

Package Information:

https://launchpad.net/ubuntu/+source/wpa/2:2.6-15ubuntu2.1

https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.3

https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.6

New Known Issues in Cumulus Linux 3.7.2

The following issues affect the Cumulus Linux 3.7.2 release.

Release Note ID Summary Description

RN-1145 (CM-22560)
Debian Security Advisory DSA-4306-1 for python issues CVE-2018-1060 CVE-2018-1061 CVE-2018-1000802

The following CVEs were announced in Debian Security Advisory DSA-4306-1 and affect the python package.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4306-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 27, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package: python3.4

CVE ID: CVE-2018-1060 CVE-2018-1061CVE-2018-1000802

Multiple security issues were discovered in Python: ElementTree failed to initialise Expat's hash salt, two denial of service issues were found in difflib and poplib and the shutil module was affected by a command injection vulnerability.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

This issue will be fixed in a future version of Cumulus Linux.


RN-1150 (CM-22891)
Debian Security Advisory DSA-4332-1 for ruby issues CVE-2018-16395 CVE-2018-16396

The following CVEs were announced in Debian Security Advisory DSA-4332-1 and affect the ruby package.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4332-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

November 03, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : ruby2.3

CVE ID : CVE-2018-16395 CVE-2018-16396

Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2018-16395

Tyler Eckstein reported that the equality check of OpenSSL::X509::Name could return true for non-equal objects. If a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal.

CVE-2018-16396

Chris Seaton discovered that tainted flags are not propagated in Array#pack and String#unpack with some directives.

For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u4.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ruby2.3

The 2.1 tracker for jessie is: https://security-tracker.debian.org/tracker/ruby2.1

This issue will be fixed in a future version of Cumulus Linux.


RN-1151 (CM-22956)
FRR ignores the BGP peer group password for dynamic/bgp listen range neighbors

FRR ignores a BGP password configured in a peer group that is associated with the bgp listen range. In the following example, the password cumulus has no effect on neighbors that connect in the 10.30.40.0/24 range. If the neighbor has neighbor password cumulus configured, the peering does not come up.

router bgp 65001
 neighbor LXD peer-group
 neighbor LXD remote-as external
 neighbor LXD password cumulus
 neighbor LXD timers 1 3
 neighbor LXD timers connect 3
 bgp listen limit 20
 bgp listen range 10.30.4.0/24 peer-group LXD
!

This is a known issue that is currently being investigated.


RN-1152 (CM-22933)
The centralized EVPN gateway MAC address is not refreshed in the network when ARP suppression is enabled on the gateway

In a centralized VXLAN routing topology, the gateway advertises its MAC address to all other VTEPs. If the layer 2 network extends beyond the access layer VTEPs (for example, a KVM with a bridge running on the host), the gateway MAC address needs to be refreshed either by way of the end hosts/VMs ARPing for the gateway IP address or the network has to refresh it by way of periodic gratuitous ARP.

Currently, Cumulus Linux relies on the centralized gateway to generate gratuitous ARP (neighmgrd). However, if ARP suppression is enabled on the gateway, the gARP gets suppressed on VXLAN interfaces. As a result, the gateway MAC address might age out in the host bridge scenario and lead to an excessive unknown unicast flood within the host bridge when VMs send packets to be routed by the gateway.

If the gateway only has connections to firewalls (and is unlikely to see a massive number of ARP requests), you can work around this issue by disabling ARP suppression on the centralized gateway. In a more general topology, where the centralized gateway might also have a lot of local host connections and sees a lot of ARP requests, turning off ARP suppression might not be a desirable solution.

This is a known issue that is currently being investigated.


RN-1157 (CM-22885)
Enabling FEC causes `ifreload -a` to always invoke `ethtool --set-fec`

After FEC is enabled on an interface, ifupdown2 invokes ethtool --set-fec, even if FEC is unchanged. For Broadcom switches, this might cause a link flap.

This is a known issue that is currently being investigated.


RN-1158 (CM-22609)
Debian Security Advisory DSA-4311-1 for git issues CVE-2018-17456

The following CVEs were announced in Debian Security Advisory DSA-4311-1 and affect the git package.

-------------------------------------------------------------------

Debian Security Advisory DSA-4311-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 05, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------

Package : git

CVE ID : CVE-2018-17456

joernchen of Phenoelit discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability via a specially crafted .gitmodules file in a project cloned with --recurse-submodules.

For the stable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u4.

We recommend that you upgrade your git packages.

For the detailed security status of git, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/git

This issue will be fixed in a future Cumulus Linux release.


RN-1159 (CM-22441)
Debian Security Advisory DSA-4924 for ghostscript issues CVE-2018-16509 CVE-2018-16802 CVE-2018-11645

The following CVEs were announced in Debian Security Advisory DSA-4924-1 and affect the ghostscript package.

----------------------------------------------------------

Debian Security Advisory DSA-4294-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 16, 2018 https://www.debian.org/security/faq

----------------------------------------------------------

Package : ghostscript

CVE ID : CVE-2018-16509 CVE-2018-16802

Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

For the stable distribution (stretch), these problems have been fixed in version 9.20~dfsg-3.2+deb9u5.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

This issue will be fixed in a future Cumulus Linux release.


RN-1160 (CM-22298)
Debian Security Advisory DSA-4286-1 for curl issues CVE-2018-14618

The following CVEs were announced in Debian Security Advisory DSA-4286-1 and affect the curl package.

-------------------------------------------------------------

Debian Security Advisory DSA-4286-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

September 05, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------

Package : curl

CVE ID : CVE-2018-14618

Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems. See https://curl.haxx.se/docs/CVE-2018-14618.html for more information.

For the stable distribution (stretch), this problem has been fixed in version 7.52.1-5+deb9u7.

We recommend that you upgrade your curl packages.

For the detailed security status of curl, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/curl

This issue will be fixed in a future Cumulus Linux release.


RN-1161 (CM-22937)
NCLU SNMPv3 user configuration does not get applied correctly

NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.

To work around this issue, stop snmpd, remove the cache file, then restart snmpd.

This is a known issue that is currently being investigated.


RN-1162 (CM-22814, CM-22813)
NCLU fails to remove the BGP graceful shutdown community

The NCLU net del bgp graceful-shutdown command does not disable graceful BGP shutdown.

To work around this issue, remove the configuration from vtysh. For example:

cumulus@leaf01:~$ sudo vtysh
leaf01# conf t
leaf01(config)# router bgp 65104
leaf01(config-router)# no bgp graceful-shutdown
leaf01(config-router)# end
leaf01# wr
Note: this version of vtysh never writes vtysh.conf
Building Configuration...
Integrated configuration saved to /etc/frr//frr.conf
[OK]
leaf01# exit

When removed, the FRR configuration looks like this:

router bgp 65104
 bgp router-id 10.255.255.14
 neighbor swp51 interface remote-as external
 neighbor swp52 interface remote-as external

This is a known issue that is currently being investigated.


RN-1164 (CM-22808)
On the Trident II+ switch, `hsflowd` does not stop with the `systemctl stop hsflowd` command

When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.

This is a known issue that is currently being investigated.


RN-1165 (CM-22802)
The NCLU `bridge pvid` command does not add the interface to bridge ports

When you run the net add (bond|interface) <iface> bridge pvid command, NCLU does not add the port as a slave of the VLAN-aware bridge.

This is a known issue that is currently being investigated.


RN-1167 (CM-22794)
The Dell S5048F-ON Temp3 sensor shows as absent

The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.

This is a known issue that is currently being investigated.


RN-1169 (CM-20053)
Recursive next-hops using iBGP marked inactive with multiple route reflectors in the path

In certain topologies that use BGP and route reflectors, next hop resolution might be impacted by advertising the spine-leaf link addresses from the leafs themselves. The problem is seen primarily with multiple links between each pair of spine and leaf switches, and redistribute connected configured on the leafs.

To work around this issue, only advertise the spine to leaf addresses from the spine switches (or use IGP for next-hop propagation). You can use network statements for the interface addresses that you need to advertise to limit the addresses advertised by the leaf switches. Or, define redistribute connected with route maps to filter the outbound updates and remove the spine to leaf addresses from being sent from the leafs.

This is a known issue that is currently being investigated.


RN-1170 (CM-22849)
An `ovs-vtepd` core dump might occur when a network event leads to an OVSDB server high availability transition

When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core dump might occur. This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.

This is a known issue that is currently being investigated.


RN-1171 (CM-22950)
Debian Security Advisory DSA-4335-1 for nginx issues CVE-2018-16843 CVE-2018-16844 CVE-2018-16845

The following CVEs were announced in Debian Security Advisory DSA-4335-1 and affect the nginx package.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4335-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff November 08, 2018

https://www.debian.org/security/faq

--------------------------------------------------------------------------------------

Package : nginx

CVE ID : CVE-2018-16843 CVE-2018-16844 CVE-2018-16845

Three vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could in denial of service in processing HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in the ngx_http_mp4_module module (used for server-side MP4 streaming).

For the stable distribution (stretch), these problems have been fixed in version 1.10.3-1+deb9u2.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nginx

This issue will be fixed in a future Cumulus Linux release.


RN-1172 (CM-22346)
Debian Security Advisory DSA-4288-1 for ghostscript issues CVE-2018-15908 CVE-2018-15910 CVE-2018-15911 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16543 CVE-2018-16585

The following CVEs were announced in Debian Security Advisory DSA-4288-1 and affect the ghostscript package.

-----------------------------------------------------------------

Debian Security Advisory DSA-4288-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 07, 2018 https://www.debian.org/security/faq

------------------------------------------------------------------

Package : ghostscript

CVE ID : CVE-2018-15908 CVE-2018-15910 CVE-2018-15911 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16543 CVE-2018-16585

Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

For the stable distribution (stretch), these problems have been fixed in version 9.20~dfsg-3.2+deb9u4.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

This issue will be fixed in a future Cumulus Linux release.


RN-1185 (CM-23062)
On the Celestica RedstoneV switch, swp14 and swp22 do not work

On the Celestica RedstoneV switch, the hardware settings are incorrect on swp14 and swp22.

This is a known issue that is currently being investigated.


RN-1186 (CM-23008)
EVPN type-5 received AS-Path prepend not propagated to IBGP peers

The as-path is not propagating for EVPN type-5 prefixes until forced with a clear.

This is a known issue that is currently being investigated.


RN-1187 (CM-23004)
Local authentication (password) is working with the local account even when the RADIUS or TACACS server is running

The local fallback account authenticates using the local password when the RADIUS or TACACS service is up. The expected behavior is for this to fail and only succeed when the RADIUS OR TACACS server fails to respond.

This is a known issue that is currently being investigated.


RN-1189 (CM-19164)
Unable to ping the remote network gateway address (SVI) in a VXLAN symmetric routing configuration with distinct IPs

Currently, Cumulus Linux does not program the remote network SVI IP address in the route table. As a result, you can't ping the remote network gateway address; however, you can ping the hosts in that remote network.

This is a known issue that is currently being investigated.


RN-1190 (CM-22775)
On the Dell S5232F switch, the i2c bus might get stuck

If a pluggable is removed from the Dell S5232F switch during a read transaction, the ocores driver gets stuck and no more i2c transactions are possible on that core.

This is a known issue that is currently being investigated.


RN-1191 (CM-22848)
Input chain ACL drop action does not drop packets if the traffic is destined to the CPU on an SVI (RIOT platforms)

On platforms that provide native support for VXLAN routing (RIOT platforms), input chain ACLs match against forward chain traffic if the traffic is routed by a VRR IP address.

This is a known issue that is currently being investigated.


RN-1192 (CM-23075)
Limitation on the number of interfaces supported in the DHCP relay file

There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:

2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: 
  Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: 
  Sending on   LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.

This is a known issue that is currently being investigated.


RN-1193 (CM-22951)
Unable to bring up some 10G LR interfaces on Mellanox switches

It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware.

This is a known issue that is currently being investigated.


RN-1198 (CM-23287)
Unable to bring up links between Intel NIC X722 LOM and Mellanox switches

There is a known issue where an Intel X722 LOM does not link when connected to a Mellanox SX or SN switch. Contact Customer Support for additional information.


RN-1225 (CM-22892)
On the Dell S5248F and S5232F switch, systemd-modules-load.service fails and switchd does not start

After a new Cumulus Linux install on the Dell S5248F and the S5232F switch or during a soft reboot of these platforms, systemd-modules-load.service and a few other services might fail because switchd does not start. You see the following syslog messages:

kernel: fpga_init: cum_i2c_add_cli(70,sff8436) failed: -6
kernel: Error, FPGA driver NOT registered
kernel: dellemc_s5248f_init: FPGA initialization failed

To prevent this issue, power cycle the switch if a reboot is needed instead of a doing a soft reboot. To work around this issue if it occurs, power cycle the switch to recover.

This is a known issue that is currently being investigated.


RN-1244 (CM-23441)
clagd permanent MAC sync for SVI related to Layer 3 VNI

Cumulus Linux 3.7.2 introduced clagd synchronization for permanent MAC addresses (MAC address of SVI interfaces). By allowing this permanent address to be synchronized, each MLAG system installs the MAC address over the peer link. While this forwarding entry is programmed, this device cannot properly decapsulate VXLAN packets, which results in these packets being discarded.

To work around this issue, make sure that the VLAN ID (SVI used for the layer 3 VNI) is not part of the bridge in an MLAG configuration. This ensures that traffic tagged with that VLAN ID is not forwarded on the peer link or other trunks.


RN-1281 (CM-23789)
SNMPv3 bulkget causes the agent to crash

After upgrading to Cumulus Linux 3.7.2, the SNMP agent crashes when you call snmpbulkget. The SNMP agent will automatically restart and there is no impact to forwarding traffic.

To work around this issue, do not call snmpbulkget where the response packet length is greater than the default maximum message length of 1472.

This is a known issue that is currently being investigated.


RN-1297 (CM-24092)
Facebook Backpack PSU monitoring occasionally replies with N/A value or FAULT ALARM instead of integers

On the Facebook Backpack switch, you sometimes see unparsible sensor value "FAULT ALARM" and /or state changed from OK to ABSENT in the /var/log/syslog file.

This is a known issue that is currently being investigated.


RN-1298 (CM-24047)
ARP requests are being sent with the sender IP address set to 0.0.0.0

The Cumulus Linux switch sometimes sends out ARP request packets with the sender IP address set to is 0.0.0.0.

This is a known issue that is currently being investigated.


RN-1299 (CM-24035)
On a 100M full duplex interface, auto-MDIX does not work correctly

On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.

This is a known issue that is currently being investigated.


RN-1300 (CM-24022)
Incorrect VNI associated with prefix

In an MLAG configuration, some prefixes are correlated with an incorrect VNI, which results in loss of redundant paths in the fabric for these prefixes. To work around this issue, restart FRR or perform a hard boot.

This is a known issue that is currently being investigated.


RN-1301 (CM-24001, CM-22157)
On the Tomahawk switch, portwd fails with ports configured to both 50G and 4x25G at the same time

On a Tomahawk switch, if you configure a port as 50G and another port as 4x25G at the same time, the portwd service fails.

This is a known issue that is currently being investigated.


RN-1303 (CM-23892)
EVPN next hops are sometimes not removed when the peer goes down

Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.

This is a known issue that is currently being investigated.


RN-1304 (CM-23801)
Traffic destined to the SVI of the MLAG paired switch is forwarded, then dropped

The switch forwards traffic destined to the SVI of the MLAG paired switch, then drops the traffic.

This is a known issue that is currently being investigated.


RN-1305 (CM-23790)
Incorrect PMSI label advertised for layer 2 VNI, which creates an interopability issue with Cisco NXOS

When layer 2 VNIs are configured that terminate on Cisco switches at the edge, BUM traffic arriving on the Cisco switch is not being properly VXLAN encapsulated and forwarded to the Cumulus VTEPs.

This is a known issue that is currently being investigated.


RN-1306 (CM-23674)
The permanent MAC entry corresponding to the layer 3 VNI's SVI (corresponding VLAN) is missing in the bridge FDB

The permanent MAC entry that corresponds to the SVI of the layer 3 VNI (corresponding VLAN) is missing in the bridge FDB.

This is a known issue that is currently being investigated.


RN-1322 (CM-24370)
Incorrect ARP/ND packets when VLAN interface flaps in an EVPN centralized routing configuration

In an EVPN centralized routing deployment, the border leaf sends out incorrect packets when flapping the VLAN interface.

This is a known issue that is currently being investigated.


RN-1331 (CM-24241)
NCLU fails to remove a BGP peer group related configuration

When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:

cumulus@switch:~$  net del bgp neighbor fabric peer-group
'router bgp 65001' configuration does not have 'neighbor fabric peer-group'

This is a known issue that is currently being investigated.


RN-1332 (CM-24271)
Incorrect readout of the high temperature alarm threshold disables a 100G optical module on Mellanox switches

An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches.

This is a known issue that is currently being investigated.


RN-1347 (CM-24315)
SNMP crashes with error `Unknown operation 6 in agentx_got_response`

The snmpd daemon sometimes crashes with the error Unknown operation 6 in agentx_got_response.

This is a known issue that is currently being investigated.


RN-11414 (CM-23661)
On a Mellanox switch, switchd errors when adding a GRE tunnel causing GRE traffic to be software-forwarded upon encapsulation

When you configure a GRE tunnel on a Mellanox switch, the traffic behind the local tunnel endpoint destined through the GRE tunnel is software-forwarded.

This is a known issue that is currently being investigated.

The following new issue was added on October 4, 2019.

RN-1573 (CM-25414)
On Mellanox SN2410 switches, switchd fails to start

On the Mellanox SN2410 switch, switchd does not start.

This is a known issue that is currently being investigated.


RN-1577 (CM-23748)
A dummy interface does not inherit the MTU from /etc/network/ifupdown2/policy.d files

A dummy interface does not inherit the MTU from a defaults file in /etc/network/ifupdown2/policy.d. A dummy interface is typically used to keep SVI interfaces up when there are no switch ports up that are associated with that VLAN.

This is a known issue that is currently being investigated.


RN-1578 (CM-23565)
EVPN prefixes keep max-med on-startup value after timer expires

EVPN prefixes retain the max-med on startup value after the timer expires.

This is a known issue that is currently being investigated.

Issues Fixed in Cumulus Linux 3.7.1

The following is a list of issues fixed in Cumulus Linux 3.7.1 from earlier versions of Cumulus Linux.

Release Note ID Summary Description

RN-993 (CM-20585)
Routes learned from EVPN clouds do not get summarized

Routes that are learned from an EVPN cloud do not get summarized. Only routes that reside on, or are owned by, a switch get summarized.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1080 (CM-21997)
The VRF membership for a VRR interface fails to update in the Mellanox SDK

The VRF membership for a VRR interface fails to update. This issue does not affect SVI (non-v0) interfaces.

To work round this issue, reboot the switch or remove the VRR IP address and reconfigure it. For example:

cumulus@switch:~$ net del vlan 120 ip address-virtual 
cumulus@switch:~$ net commit 
cumulus@switch:~$ net add vlan 120 ip address-virtual 00:00:00:00:01:20 10.120.0.254/24 
cumulus@switch:~$ net commit

This issue is fixed in Cumulus Linux 3.7.1.


RN-1087 (CM-22206)
Mellanox ERSPAN not working with VXLAN

On Mellanox switches, member interfaces for Bond are not supported on ERSPAN.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1098 (CM-22069)
On Tomahawk switches, the hardware MAC entry is not updated on native VLAN changes

On a Tomahawk switch with VXLAN-enabled VLANs, if the native VLAN on a port is changed, the GPORT associated with a MAC address in that VLAN is incorrect.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1100 (CM-22187)
In FRRouting, the BGP aggregate-address statement is ignored when the network statement uses the same IP address

If you start FRRouting and your configuration has a BGP IPv4 network statement that is the same as an aggregate-address statement, then the aggregate is not announced.

For example, if you have the following FRR configuration:

network 172.16.250.0/24
aggregate-address 172.16.250.0/24

Then that network is not advertised unless the 172.16.250.0/24 (exactly) is in the RIB. The issue does not happen if the network statement does not exactly match the aggregate-address statement (including super and subnets).

To work around this issue, remove the matching network statement.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1104 (CM-22472)
MLAG anycast IP address is not applied on the secondary switch after making changes

When clagd is running and you add or modify the MLAG VXLAN anycast IP address on the loopback using NCLU or by editing the configuration file, the changes are not applied. You need to restart clagd manually for the changes to be applied.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1116 (CM-22509)
FRR reload does not apply changes to BGP aggregate addresses

If you change the BGP aggregate addresses using NCLU and FRR is restarted, the configuration is accepted, but the routes do not appear in the BGP table.

To work around this issue, manually change the BGP aggregate addresses in vtysh.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1125 (CM-22540)
Cumulus Linux might be unable to read certain sensors on the Dell S5248F Trident3 switch

Due to changes made to the BMC firmware, Cumulus Linux might be unable to read certain sensors correctly on the Dell S5248F Trident3 switch; for example, the CPU temperature might appear as absent.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1127 (CM-22243)
On a Trident3 switch, packets received with TTL=1 destined to the CPU are marked as RX_DROPs

On the Trident3 switch, any packet received with TTL=1 and destined to the CPU is marked as dropped.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1128 (CM-22630)
OSPF6 fails to start after a fresh 3.7 installation

OSPF6 fails to start on a fresh install of Cumulus Linux 3.7.

This is fixed in Cumulus Linux 3.7.1.


RN-1315 (CM-24330)
On a Mellanox switch, when you change the VRF membership on an SVI with VRR configured, the VRR MAC is not programmed into hardware

On a Mellanox switch, when you change the VRF membership of an interface with VRR enabled, the VRR MAC address is not properly programmed into hardware.

To work around this issue, delete and recreate the interface using ifup and ifdown.

This issue is fixed in Cumulus Linux 3.7.1.

New Known Issues in Cumulus Linux 3.7.1

The following issues affect the Cumulus Linux 3.7.1 release.

Release Note ID Summary Description

RN-1129 (CM-22608, CM-22555)
On Mellanox Spectrum and Helix4 switches, sFlow sends malformed packets and no flow samples

Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).

This is a known issue that is currently being investigated.


RN-1131 (CM-22605)
On the Dell S4048 switch, changing the eth0 link speed to 100 causes igb to crash

On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.

To work around this issue:

  • If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
  • If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file.

This is a known issue that is currently being investigated.


RN-1134 (CM-22589)
NCLU `net show configuration commands` displays a syslog command with invalid syntax

NCLU net show configuration commands displays a net add syslog command with invalid syntax. For example, if you run the following commands:

cumulus@switch:~$ net add syslog host ipv4 10.0.0.1 port udp 514
cumulus@switch:~$ net commit

then run net show configuration commands, the output of the command syntax is invalid.

This is a known issue that is currently being investigated.


RN-1135 (CM-22583)
On Broadcom switches, single-tagged ARP requests received on the QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI

Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.

This is a known issue that is currently being investigated.


RN-1136 (CM-22554)
The linkstate of a bond is not updated when several members are brought down remotely at once

If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces does not correctly transition to the down state; however, all links show down in hardware.

This is a known issue that is currently being investigated.


RN-1137 (CM-22546)
On the Facebook Voyager, the eth0 port is not visible on initial power on

The eth0 port is not visible in Cumulus Linux or the BIOS on initial boot.

To work around this issue, do a hard power reset to recover the device.

This is a known issue that is currently being investigated.


RN-1138 (CM-22484)
On a Mellanox switch, two way ECMP with a /31 mask is not programmed correctly in hardware

On a Mellanox switch, when using an ECMP route over /31 interfaces, incorrect layer 3 neighbor and layer 3 route entries are shown.

This is a known issue that is currently being investigated.


RN-1139 (CM-22695)
On a Trident3 switch, EVPN pings to external hosts fail when networking is restarted on an exit spine

When you use a Trident3 switch as the exit node, which is playing the role of the spine, pings to external hosts fail after a systemctl restart networking event.

This is a known issue that is currently being investigated.


RN-1140 (CM-22645)
NCLU automatically creates peerlink.4094 with no regard for the configured reserved VLAN range

When you configure MLAG with NCLU, the peerlink and peerlink.4094 interfaces are automatically created; peerlink.4094 is outside of the default reserved VLAN range of 3000-3999. However, when creating the peerlink interfaces, Cumulus Linux does not check against a possible collision with VLANs outside of the default reserved range in case the reserved VLAN range has been modified.

This is a known issue that is currently being investigated.


RN-1141 (CM-22697)
NCLU adds duplicate bridge ports

When you use NCLU to add bridge ports, you can add the same ports to the bridge repeatedly. This can cause problems with automation.

This is a known issue that is currently being investigated.


RN-1142 (CM-22657)
The NCLU `net show counters json` command fails with an error

When you run the net show counters json command, you see the following error if any value is 'Unknown':

ERROR: Execution of the command failed. 
"/usr/cumulus/bin/cl-netstat -j" failed. 
Traceback (most recent call last): 
File "/usr/cumulus/bin/cl-netstat", line 292, in <module> 
cnstat_diff_print(cnstat_dict, cnstat_cached_dict, use_json) 
File "/usr/cumulus/bin/cl-netstat", line 135, in cnstat_diff_print 
print table_as_json(table) 
File "/usr/cumulus/bin/cl-netstat", line 62, in table_as_json 
header[3] : int(line[3]), 
ValueError: invalid literal for int() with base 10: 'Unknown'

To work around this issue, run the following command to clear out the semaphore file created by cl-netstat -c:

cumulus@switch:~$ rm /tmp/cl-netstat-$UID/$UID

This is a known issue that is currently being investigated.


RN-1143 (CM-22631)
Adding MTU to a VLAN adds `mtu` lines for each bridge port even if they are not defined in /etc/network/interfaces

If you add the MTU to a VLAN with the NCLU net add vlan <vlan> mtu <mtu> command, Cumulus Linux adds extra mtu lines in the /etc/network/interfaces file when there are defined bridge ports that do not exist elsewhere in the file.

This is a known issue that is currently being investigated.


RN-1146 (CM-22796)
Switch ports previously in MLAG go unexpectedly into `protodown on` state

Switch ports that are configured as MLAG interfaces, then deleted, go into protodown on state unexpectedly.

To work around this issue, turn off protodown manually with the ip link command:

cumulus@switch:~$ ip link set  protodown off

This is a known issue that is currently being investigated.


RN-1294 (CM-24207)
NCLU traceback occurs when you remove a VLAN SVI

When you try to delete a VXLAN and the associated VLAN SVI with the net del vlan <vlan> command, you see an error similar to the following:

cumulus@switch:~$ net del vlan 10
ERROR: invalid literal for int() with base 10: 'vlan-id'
See /var/log/netd.log for more details.

This is a known issue that is currently being investigated.

Issues Fixed in Cumulus Linux 3.7.0

The following is a list of issues fixed in Cumulus Linux 3.7.0 from earlier versions of Cumulus Linux.

Release Note ID Summary Description

RN-894 (CM-20177)
Inter-subnet routing intermittently stops working in a central VXLAN routing configuration

In a VXLAN centralized routing configuration, IPv6 hosts (auto-configured using SLAAC) might experience intermittent connectivity loss between VXLAN segments (inter-subnet routing) within the data center fabric (EVPN type-5 external routes are not affected). The NA message has the wrong flag set (the router flag is not set, which is incorrect behavior based on RFC 4861, Section 4.4).

To work around this issue, configure bridge-arp-nd-suppress off under VNI interfaces for all VTEP devices.

This issue is fixed in Cumulus Linux 3.7.0.


RN-939 (CM-20944)
On Maverick switches, random links might not come up on boot when enabling RS FEC with 100G AOC cables

On Maverick 100G switches, after enabling FEC on links with 100G AOC cables, random links do not come up after a reboot.

To work around this issue, disable FEC on 100G AOC links.

This issue is fixed in Cumulus Linux 3.7.0.


RN-943 (CM-20639)
The neighbor table and EVPN routes are not updated on receiving GARP from an IP address that moved to a new MAC address

After moving an IP address to a new host, the neighbor table and EVPN routes do not update properly after receiving a GARP from the new MAC address to which the previously-active IP address has been moved.

This issue is fixed in Cumulus Linux 3.7.0.


RN-991 (CM-20316)
arp_accept and arp_ignore do not work for SVIs if a bridge has VXLAN interfaces

On a Cumulus Linux switch, if a bridge has VXLAN interfaces, then the arp_accept and arp_ignore options do not work for any switch virtual interfaces (SVIs).

To work around this issue, disable ARP suppression on the VXLAN interfaces. For example, if the VXLAN is named vni100, disable ARP suppression on it with the following command:

cumulus@switch:~$ net add vxlan vni100 bridge arp-nd-suppress off
cumulus@switch:~$ net commit

This issue is fixed in Cumulus Linux 3.7.0.


RN-1006 (CM-20644)
The ptp4l and phc2sys services are enabled by default resulting in repeated syslog messages

In Cumulus Linux 3.6.1 and later, the ptp4l and phc2sys services are enabled by default. If you are not using PTP or PTP is not configured, the logs are repeatedly filled with messages similar to the following.

2018-06-20T15:38:44.490543+00:00 cumulus phc2sys: [1542.230] 
  Waiting for ptp4l...
2018-06-20T15:38:44.491160+00:00 cumulus phc2sys: [1542.230] uds: 
  sendto failed: No such file or directory
2018-06-20T15:38:45.491747+00:00 cumulus phc2sys: [1543.231] 
  Waiting for ptp4l...
2018-06-20T15:38:45.492259+00:00 cumulus phc2sys: [1543.231] uds: 
  sendto failed: No such file or directory
2018-06-20T15:38:46.492925+00:00 cumulus phc2sys: [1544.233] 
  Waiting for ptp4l...
2018-06-20T15:38:46.493440+00:00 cumulus phc2sys: [1544.233] uds: 
  sendto failed: No such file or directory

To work around this issue in Cumulus Linux 3.6.2, add StartLimitInterval to both the ptp4l and phc2sys services as shown below:

sudo mkdir -p /etc/systemd/system/ptp4l.service.d 
  /etc/systemd/system/phc2sys.service.d
sudo sh -c '/bin/echo -e "[Service]\nStartLimitInterval=375" > 
  /etc/systemd/system/phc2sys.service.d/startinterval.conf'
sudo sh -c '/bin/echo -e "[Service]\nStartLimitInterval=375" > 
  /etc/systemd/system/ptp4l.service.d/startinterval.conf'
sudo systemctl daemon-reload

This issue is fixed in Cumulus Linux 3.7.0.


RN-1040 (CM-22120)
Link down does not work on an Ethernet interface configured in the management VRF

The link-down yes configuration in the /etc/network/interfaces file does not work for eth0 or eth1 configured in the management VRF. This issue is not observed if the Ethernet interface is in the default VRF.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1041 (CM-21890)
Debian Security Advisory DSA-4259 for Ruby issues CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-1000073

The following CVEs were announced in Debian Security Advisory DSA-4259-1, and affect the ruby2.3 package.

This issue is fixed in Cumulus Linux 3.7.0.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4259-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 31, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package: ruby2.3

CVE ID: CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure.

This update also fixes several issues in RubyGems which could allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code.

For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u3.

We recommend that you upgrade your ruby2.3 packages.

Note: CVE-2018-1000073 and CVE-2018-1000074 are awaiting re-analysis.

For the detailed security status of ruby2.3, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3


RN-1042 (CM-22341)
An MLAG neighsync traceback occurs when you add an SVI with the NCLU command

When you use NCLU to add an SVI to the second MLAG peer (after adding to the first), clagd issues a traceback and becomes unresponsive until systemd puts it into a failed state.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1043 (CM-22066)
NCLU commands hang without response

When you run an NCLU command from the command line, the command hangs without a response.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1044 (CM-21996)
FRR reload fails when adding a new peer group and changing AFIs

When you add a new peer group, then change the AFIs associated with that peer group, the frr-reload script fails with the error Specify remote-as or peer-group commands first.

To work around this issue, perform the configuration in two separate commits. First, create the peer groups and commit, then change the AFIs in a second commit.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1045 (CM-21969)
Incorrect BFD UDP source port range

The BFD UDP source port range is incorrect.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1046 (CM-21922)
NCLU fails to configure 4x10G breakout ports

When you configure a breakout port using NCLU, the configuration is not successful.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1047 (CM-22247)
IPv6 GUA neighbors flushed when interface is added to the existing VRF

When you add a new SVI to the switch and assign it to an existing VRF, all IPv6 global unicast address (GUA) neighbors are flushed and existing traffic between hosts in the data center is dropped.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1049 (CM-22161)
The ptmd shell environment variables are not being set correctly

When the ptmd daemon detects an LLDP neighbor change event, the respective script is executed (if-topo-pass or if-topo-fail). Environment variables are set and are accessible to the script (as described in man ptmd). However, in LLDP events, some environment variables are not getting set correctly.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1050 (CM-22146)
Repeating an existing SNMP v3 user returns an incorrect exit code

If SNMP is configured, entering the NCLU command to create an SNMP v3 user that already exists returns an exit code of 1.

To work around this issue, delete the username with the net del snmp-server username <username> command before adding it again.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1053 (CM-21806)
NCLU mistakenly believes the FRR reload state is not active and restarts the service

NCLU mistakenly believes that the FRR reload state is not active and restarts the service.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1054 (CM-21768)
On a Broadcom Trident II+ switch, VXLAN decapsulation does not work for unknown unicast flooding

On a Broadcom Trident II+ switch, VXLAN decapsulation does not work for unknown unicast flooding.

To work around this issue, disable VXLAN routing by editing the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/bcm/datapath.conf file; change the vxlan_routing_overlay.profile variable to disable, then restart switchd.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1055 (CM-21692)
The Dell S5048 Tomahawk+ ASIC does not provide high power to QSFP

The Dell S5048 Tomahawk+ ASIC does not provide high power to QSFP.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1056 (CM-22147)
Debian Security Advisory DSA-4280-1 for openssh issues CVE-2018-15473

The following CVEs were announced in Debian Security Advisory DSA-4280-1, and affect the openssh package.

This issue is fixed in Cumulus Linux 3.7.0.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4280-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

August 22, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : openssh

CVE ID : CVE-2018-15473

Debian Bug : 906236

Dariusz Tytko, Michal Sajdak and Qualys Security discovered that OpenSSH, an implementation of the SSH protocol suite, was prone to a user enumeration vulnerability. This would allow a remote attacker to check whether a specific user account existed on the target server.

For the stable distribution (stretch), this problem has been fixed in version 1:7.4p1-10+deb9u4.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh


RN-1057 (CM-21619)
Security: ntp issues CVE-2018-7182 CVE-2018-7183 CVE-2018-7184 CVE-2018-7185

The following CVEs affect ntp.

This issue is fixed in Cumulus Linux 3.7.0.

-------------------------------------------------------------------------

Ubuntu Security Notice USN-3707-1

July 09, 2018

ntp vulnerabilities

-------------------------------------------------------------------------

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 18.04 LTS

Ubuntu 17.10

Ubuntu 16.04 LTS

Ubuntu 14.04 LTS

Summary: Several security issues were fixed in NTP.

Software Description: ntp: Network Time Protocol daemon and utility programs

Details:

Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6 packets. A remote attacker could possibly use this issue to cause ntpd to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182)

Michael Macnair discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2018-7183)

Miroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7184)

Miroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2018-7185)

Update instructions: The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS: ntp 1:4.2.8p10+dfsg-5ubuntu7.1

Ubuntu 17.10: ntp 1:4.2.8p10+dfsg-5ubuntu3.3

Ubuntu 16.04 LTS: ntp 1:4.2.8p4+dfsg-3ubuntu5.9

Ubuntu 14.04 LTS: ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13

In general, a standard system update will make all the necessary changes.

References: https://usn.ubuntu.com/usn/usn-3707-1

CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185


RN-1058 (CM-21700)
NCLU frr-reload failure returns an incorrect error code

If there is a failure when NCLU runs frr-reload.py, an incorrect error code of 0 is returned.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1059 (CM-21939)
Debian Security advisory DSA-4266-1 for kernel issues CVE-2018-13405

The following CVEs were announced in Debian Security Advisory DSA-4266-1, and affect the kernel.

This issue is fixed in Cumulus Linux 3.7.0.

-------------------------------------------------------------------------

Debian shows the CVE-2018-13405 details, including link to the kernel.org fix here: https://security-tracker.debian.org/tracker/CVE-2018-13405.

The kernel.org fix is here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

Debian has the CVE-2018-5390 TCP DoS info here: https://security-tracker.debian.org/tracker/CVE-2018-5390.

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2018-5390

Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port. Thus, the attacks cannot be performed using spoofed IP addresses.

https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e


RN-1060 (CM-22016)
Debian Security advisory DSA-4269-1 for postgresql issues CVE-2018-10915 CVE-2018-10925

The following CVEs were announced in Debian Security Advisory DSA-4269-1 and affect the postgresql package.

CVE-2018-10925 is fixed in Cumulus Linux 3.7.0. CVE-2018-10915 will be fixed when it's fixed upstream.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4269-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 10, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : postgresql-9.6

CVE ID : CVE-2018-10915 CVE-2018-10925

Two vulnerabilities have been found in the PostgreSQL database system:

CVE-2018-10915

Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects.

CVE-2018-10925

It was discovered that some "CREATE TABLE" statements could disclose server memory.

For additional information, refer to the upstream announcement at https://www.postgresql.org/about/news/1878/

For the detailed security status of postgresql-9.6, refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-9.6

https://security-tracker.debian.org/tracker/source-package/postgresql-9.4

https://security-tracker.debian.org/tracker/CVE-2018-10915

https://security-tracker.debian.org/tracker/CVE-2018-10925

CVE-2018-10925 is listed as fixed in jessie source package: 9.4.19-0+deb8u1


RN-1065 (CM-22300)
Bouncing the VNI interface causes switchd to restart

Bouncing the VNI interface on a VXLAN VTEP causes the switchd process to restart.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1072 (CM-22302)
Cumulus Networks has changed the way you enable the openvswitch-vtep service on boot

In previous versions of Cumulus Linux, the openvswitch-step service was enabled on boot by editing the /etc/default/openvswitch-vtep config file and changing the START variable to yes. In Cumulus Linux 3.7, this configuration file variable is no longer used. You now enable the openvswitch-step service on boot with the following commands:

cumulus@switch:~$ sudo systemctl enable openvswitch-vtep.service
cumulus@switch:~$ sudo systemctl start openvswitch-vtep.service

RN-1105 (CM-22093)
When the Mellanox switch is not licensed, the Ansible setup module might cause a kernel fault

When you start an Ansible playbook on an unlicensed Mellanox switch, a kernel fault occurs when setup script is being executed.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1106 (CM-22088, CM-21978)
After a combination of MAC and IP moves, the neighbor entry for the local host points to the old MAC address

After a sequence of MAC moves and IP moves, the leaf switches behind which the host is present point to the old MAC address associated with that IP address.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1107 (CM-22008)
The `net show config commands` command lists invalid vid and pivd configuration

If a bond is configured with NCLU, incorrect configuration is generated on the system so that when you run net show config commands, you see a message stating that the vid and pvid commands are not supported and incorrect commands are provided to configure them.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1108 (CM-21926)
ML2 REST API call to add a host to the bridge fails

An ML2 REST API call to add a host to the bridge fails with an error.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1109 (CM-21895)
BGPd crashes when you delete a peer (or BGP instance) with max med on startup configured while timer is running

When a BGP peer is created with max med on startup, a timer is created. Deleting the BGP instance that contains that peer during the window in which the timer is still running results in a BGPd crash.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1110 (CM-21833)
GARP messages not transmitted on a physical VLAN interface when VRR is configured

For hosts (virtual machines) that rely on VRR, it is expected that the virtual-address is periodically sent by the gateway to avoid flooding on kvm/libvirt.

Cumulus Linux sends GARP messages every 150 seconds out of the -v0 interface; the packet is not transmitted on the physical VLAN interface.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1111 (CM-21804)
mstpd prints unnecessary `bridge_notify: port ##: no_flush 0` log when there is a netlink link event

Whenever there is a netlink link event, mstpd prints an additional log: bridge_notify: port 65: no_flush 0 where 65 is the ifIndex. There are already clear logs when there is a link transition; this log is not necessary.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1112 (CM-21782)
Changing the `clagd-backup-ip address` parameter results in loss of VRF configuration

If you change the IP address of the clagd-backup-ip parameter in the configuration file and run ifreload -a, the changes are not applied and the VRF configuration is removed.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1113 (CM-21487)
ML2 traceback during `openstack network create` on Openstack Ocata

When running the openstack network create command, you see an internal server error.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1114 (CM-19870)
Edgecore AS4610-54T always displays yellow system LED

The Edgecore AS4610-54T switch always displays a yellow system LED.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1115 (CM-14233)
clagd goes down when you apply the anycast IP address

When adding applying an anycast IP address in a VXLAN configuration to a pair of switches, the clagd process stops.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1168 (CM-22538)
If the /etc/network/interfaces alias is different from the frr.conf description, an /etc/frr/daemons error occurs when deleting the interface

When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:

"/etc/frr/daemons was modified by another user."

Despite this error being returned, the change still goes through, and the description gets removed from the frr.conf file.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1200 (CM-21566)
Changing BGP autonomous system numbers (ASN) when using EVPN stops programming of VXLAN forwarding entries

If you change the ASN configuration on a switch running EVPN then reload the FRR service (using sudo systemctl reload frr or via net commit), the programming of VXLAN forwarding entries breaks.

To avoid this issue when making this change, restart the FRR process (using sudo systemctl restart frr) instead.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1344 (CM-22190)
`clagd` traceback after several ifdown/ifup commands on SVI interface

If you run ipdown and ifup commands several times on an SVI, you might see a clagd traceback.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1345 (CM-21162)
peerlink.4094 not deleted with NCLU `net del all` command pushed from Ansible

When you use the net del all command in a configuration that is run by an Ansible script, the peerlink.4094 interface remains in the configuration, which prevents the commit from completing because the configured MTU is not accepted.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1346 (CM-13759)
On Broadcom switches, the HwIFOutQlen counter is incorrect

On a Broadcom switch the HwIfOutQlen NIC statistic shows an incorrect value.

This issue is fixed in Cumulus Linux 3.7.0.

The following issues were moved to this list on October 3, 2019.

RN-750 (CM-17457)
On Maverick switches, multicast traffic limited by lowest speed port in the group

The Maverick switch limits multicast traffic by the lowest speed port that has joined a particular group.

This is a known limitation on this platform and is now documented in the user guide.


RN-764 (CM-17434)
On Broadcom switches, all IP multicast traffic uses only queue 0

On Broadcom switches, IPv4 and IPv6 multicast traffic always maps into queue 0.

This is a known limitation on these platforms and is now mentioned in the user guide.

Known Issues in Cumulus Linux 3.7.0

The following known issues affect the Cumulus Linux 3.7.0 release.

Release Note ID Summary Description

RN-389 (CM-8410)
switchd supports only port 4789 as the UDP port for VXLAN packets

switchd currently allows only the standard port 4789 as the UDP port for VXLAN packets. If a hypervisor uses a non-standard UDP port, VXLAN exchanges with the hardware VTEP do not work; packets are not terminated and encapsulated packets are sent out on UDP port 4789.

This is a known issue that is currently being investigated.


RN-537 (CM-12967)
Pause frames sent by a Tomahawk switch are not honored by the upstream switch

When link pause or priority flow control (PFC) is enabled on a Broadcom Tomahawk-based switch and there is over-subscription on a link, where the ASIC sends pause frames aggressively, the upstream switch does not throttle enough.

If you need link pause or PFC functionality, use a switch that does not use the Tomahawk ASIC.


RN-602 (CM-15094)
sFlow interface speed incorrect in counter samples

Counter samples exported from the switch show an incorrect interface speed.

This is a known issue that is currently being investigated.


RN-604 (CM-15959)
ARP suppression does not work well with VXLAN active-active mode

In some instances, ARP requests are not suppressed in a VXLAN active-active scenario, but instead get flooded over VXLAN tunnels. This issue is caused because there is no control plane syncing the snooped local neighbor entries between the MLAG pair; MLAG does not perform this sync, and neither does EVPN.

This is a known issue that is currently being investigated.


RN-640 (CM-16461)
Cumulus VX OVA image for VMware reboots due to critical readings from sensors

After booting a Cumulus VX virtual machine running the VMware OVA image, sometimes messages from sensors appear, indicating that the "Avg state" is critical, with all values displayed as 100.0. A cl-support is generated.

This is a known issue that is currently being investigated.


RN-656 (CM-17617)
The switchd heartbeat fails on Tomahawk switches with VXLAN scale configuration (512 VXLAN interfaces)

When a Tomahawk switch has 512 VXLAN interfaces configured, the switchd heartbeat fails. This can cause switchd to dump core.

To work around this issue, disable VXLAN statistics in switchd. Edit /etc/cumulus/switchd.conf and comment out the following line:

cumulus@switch:~$ sudo nano /etc/cumulus/switchd.conf

...

#stats.vxlan.member = BRIEF

...

Then restart switchd for the change to take effect. This causes all network ports to reset in addition to resetting the switch hardware configuration.

cumulus@switch:~$ sudo systemctl restart switchd.service

RN-744 (CM-18986)
Unable to modify BGP ASN for a VRF associated with layer 3 VNI

After editing the frr.conf file to modify the the BGP ASN for a VRF associated with a layer 3 VNI, the change is not applied.

To work around this issue, first delete the layer 3 VNI, then try to modify the BGP VRF instance.


RN-751 (CM-17157)
Pull source-node replication schema patch from upstream

The upstream OVSDB VTEP schema has been updated multiple times and now contains a patch to support source-node replication. This patch is not included with the latest version of Cumulus Linux.

This is a known issue that is currently being investigated.


RN-754 (CM-15812)
Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs

Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.

This is a known issue that is currently being investigated.


RN-755 (CM-16855)
Auto-negotiation ON sometimes results in NO-CARRIER

If a two nodes on both sides of a link change from auto-negotiation off to auto-negotiation on for both sides during a short interval (around one second), the link might start flapping or stay down.

To work around this issue and stop the flapping, turn the link down on the switch with the command ifdown swpX, wait a few seconds, then bring the link back up with the command ifup swpX. Repeat this on the other side if necessary.


RN-757 (CM-18537)
On Mellanox switches, congestion drops not counted

On the Mellanox switch, packet drops due to congestion are not counted.

To work around this issue, run the command sudo ethtool -S swp1 to collect interface traffic statistics.


RN-758 (CM-17557)
If sFlow is enabled, some sampled packets (such as multicast) are forwarded twice

When sFlow is enabled, some sampled packets, such as IPMC, are forwarded twice (in the ASIC and then again through the kernel networking stack).

This is a known issue that is currently being investigated.


RN-760 (CM-18682)
smonctl utility JSON parsing error

There is a parsing error with the smonctl utility. In some cases when JSON output is chosen, the smonctl utility crashes. The JSON output is necessary to make the information available through SNMP.

This is a known issue that is currently being investigated.


RN-766 (CM-19006)
On the Broadcom Trident II+, Trident3, and Maverick platform, in an external VXLAN routing environment, the switch does not rewrite MAC addresses and TTL, so packets are dropped by the next hop

On the Broadcom Trident II+, Trident3, and Maverick based switch, in an external VXLAN routing environment, when a lookup is done on the external-facing switch (exit/border leaf) after VXLAN decapsulation, the switch does not rewrite the MAC addresses and TTL; for through traffic, packets are dropped by the next hop instead of correctly routing from a VXLAN overlay network into a non-VXLAN external network (for example, to the Internet).

This applies to all forms of VXLAN routing (centralized, asymmetric and symmetric) and affects all traffic from VXLAN overlay hosts that need to be routed after VXLAN decapsulation on an exit/border leaf, including:

  • Traffic destined to external networks (through traffic)
  • Traffic destined to the exit leaf SVI address

To work around this issue, modify the external-facing interface for each VLAN subinterface by creating a temporary VNI and associating it with the existing VLAN ID.

For example, if the expected interface configuration is:

auto swp3.2001
iface swp3.2001
    vrf vrf1
    address 10.0.0.2/24
# where swp3 is the external facing port and swp3.2001 is the VLAN subinterface

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports vx-4001
    bridge-vids 4001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

Modify the configuration as follows:

auto swp3
iface swp3
    bridge-access 2001
# associate the port (swp3) with bridge 2001

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports swp3 vx-4001 vx-16000000
    bridge-vids 4001 2001
# where vx-4001 is the existing VNI and vx-16000000 is a new temporary VNI
# this is now bridging the port (swp3), the VNI (vx-4001),
# and the new temporary VNI (vx-16000000)
# the bridge VLAN IDs are now 4001 and 2001

auto vlan2001
iface vlan2001
    vlan-id 2001
    vrf vrf1
    address 10.0.0.2/24
    vlan-raw-device bridge
# create a VLAN 2001 with the associated VRF and IP address

auto vx-16000000
iface vx-16000000
    vxlan-id 16000000
    bridge-access 2001
    <... usual vxlan config ...>
# associate the temporary VNI (vx-16000000) with bridge 2001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

If an MLAG pair is used instead of a single exit/border leaf, the same temporary VNIs should be added on both switches of the MLAG pair.


RN-808 (CM-15902)
In EVPN, sticky MAC addresses move from one bridge port to another

In EVPN environments, sticky MAC addresses move from one bridge port to another on soft nodes.

This is a known issue that is currently being investigated.


RN-822 (CM-19788)
Using the same VLAN ID on a subinterface and bridge VIDs for a given port is not easily corrected

If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.

This is a known issue that is currently being investigated.


RN-823 (CM-19724)
Multicast control protocols are classified to the bulk queue by default

PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.

This is a known issue that is currently being investigated.


RN-881 (CM-20665)
On Tomahawk+ switches, 100G DAC cables don’t link up on 3 out of the 6 ports when auto-negotiation is on

100G Copper Direct Attach Cables (DAC) might not link up on ports 49, 51, and 52 when auto-negotiation is set to on.

To work around this issue, disable auto-negotiation on both sides of the cables plugged into these ports or move the 100G DACs to ports 50, 53, or 54.

This is a known issue that is currently being investigated.


RN-884 (CM-20534)
Dynamic leaking of routes between VRFs occurs through the default BGP instance

The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs.

This is a known issue that is currently being investigated.


RN-885 (CM-20530)
NCLU 'net show interface' command shows 'NotConfigured' for unnumbered interfaces

When an interface is configured for OSPF/BGP unnumbered, the net show interface command shows NotConfigured instead of showing that it is unnumbered.

This is a known issue that is currently being investigated.


RN-886 (CM-20508)
On Mellanox and Broadcom switches, the Cumulus-Resource-Query-MIB defines buffer utilization objects but returns nothing

The Cumulus-Resource-Query-MIB defines the ability to gather buffer utilization status but when these objects are polled, they return nothing.

This is a known issue that is currently being investigated.


RN-893 (CM-20363)
IPv6 RA should include all on-link prefixes as prefix information

IPv6 RAs from a router can be used to do some host auto-configuration. The main aspects that can be auto-configured are the prefixes which are on-link (which can be used by the host to autoconfigure its addresses) and the default router. Some other information can also be indicated. FRR does have support to "advertise" some of these parameters. To work around this issue, configure the prefixes explicitly for announcement through RA using the IPv6 nd prefix command.

This is a known issue that is currently being investigated.


RN-896 (CM-20139)
On Mellanox switches, egress ACL (destination port matching) on bonds is not allowed

An ACL rule that matches on an outbound bond interface fails to install. For example, a rule like this fails.

[iptables]
-A FORWARD --out-interface  -j DROP

To work around this issue, duplicate the ACL rule on each physical port of the bond. For example:

[iptables]
-A FORWARD --out-interface  -j DROP
-A FORWARD --out-interface  -j DROP

This is a known issue that is currently being investigated.


RN-899 (CM-20028)
On the Dell-S4148 switch, you can't configure ports on the second pipeline into a gang

On the Dell S4148 switch, when you try to configure any of the ports on the second pipeline (port 31-54) into a gang (40G/4) through the ports.conf file, switchd fails.

This is a known issue that is currently being investigated.


RN-900 (CM-20026)
OSPF default-information originate stops working if removed and added in quick succession

When OSPF is originating a default route, and the command is removed from the process, then re-added, the router stops advertising the default route. Configuring the default-information originate command a second time causes it to start working.

This is a known issue that is currently being investigated.


RN-901 (CM-19936)
'rdnbrd' should not be enabled with EVPN

If you start rdnbrd in an EVPN configuration, local and remote neighbor entries are deleted. Enabling rdnbrd in an EVPN configuration is not supported.


RN-903 (CM-19643)
Disabling 'bgp bestpath as-path multipath relax' still leaves multipath across AS for EVPN

When BGP multipath is enabled, EVPN prefix (type-5) routes imported into a VRF always form multipath across paths that originate even from a different neighbor AS. This happens even if the as-path-relax configuration is disabled or not applied.

This is a known issue that is currently being investigated.


RN-932 (CM-20869)
Bridge loop causes BGP EVPN to install remote MAC as a local MAC and does not recover automatically

A bridge loop causes frames that arrive through EVPN to be forwarded back to the EVPN bridge. After resolving the forwarding loop, the bridge FDB table recovers, but BGP does not recover automatically. Because the MAC appears to move rapidly, BGP installs the remote MAC as a local entry and advertises it out. Even though the bridge FDB table appears to be correct, bridged traffic destined to the misprogrammed MAC fails.

This is a known issue that is currently being investigated.


RN-938 (CM-20979)
Removing a VLAN from a bridge configured with VXLAN results in an outage

Removing a VLAN from a bridge configured with VXLAN causes a network service outage until the configuration change is reverted with the net rollback last command.

To work around this issue, remove the VNI interface first, then remove the unused VLAN from the bridge.

This is a known issue that is currently being investigated.


RN-940 (CM-20813)
On Mellanox switches, packets are not mirrored on matching '-out-interface bond0' SPAN rules

Span rules that match the out-interface as a bond do not mirror packets.

This is a regression of an earlier issue and is being investigated at this time.


RN-941 (CM-20806)
When configuring layer 2 VPN EVPN in vtysh, if the route-target matches the VNI and AS number, the configuration does not display the route target

When configuring layer 2 VPN EVPN in vtysh, if a route-target matches both the AS number and the VNI number, the route target does not display in the configuration. This is currently the default behavior.

This is a known issue that is currently being investigated.


RN-948 (CM-17494)
The default arp_ignore mode does not prevent reachable neighbor entries for hosts not on the connected subnet

In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.

To work around this issue, change the value of arp_ignore to 2. See Default ARP Settings in Cumulus Linux for more information.


RN-953 (CM-21082)
Virtual device counters not working as expected

Virtual device counters are not working as expected. The TX counter increments but the RX counter does not.

This is a known issue that is currently being investigated.


RN-956 (CM-21055)
On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros

On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros; therefore, the packets are dropped by the first transient switch.

This issue is being investigated at this time.


RN-989 (CM-9695)
cl-resource-query: ACL metrics are displayed as 0 on a Mellanox switch

ACL-related metrics reported by cl-resource-query on a Mellanox MLX-2700 switch return all ACL metrics as 0. For example:

cumulus@mlx-2700-08:~$ sudo cl-resource-query 
Host entries:              34,   0% of maximum value   5120
IPv4 neighbors:             8
IPv6 neighbors:            13
IPv4 entries:           32768,  82% of maximum value  39936
IPv6 entries:               0,   0% of maximum value  15360
IPv4 Routes:            32768
IPv6 Routes:                0
Total Routes:           32768, 100% of maximum value  32768
ECMP nexthops:             64,   0% of maximum value 209664
MAC entries:                0,   0% of maximum value 409600
Ingress ACL entries:        0,   0% of maximum value      0
Ingress ACL counters:       0,   0% of maximum value      0
Ingress ACL meters:         0,   0% of maximum value      0
Ingress ACL slices:         0,   0% of maximum value      0
Egress ACL entries:         0,   0% of maximum value      0
Egress ACL counters:        0,   0% of maximum value      0
Egress ACL meters:          0,   0% of maximum value      0
Egress ACL slices:          0,   0% of maximum value      0

To work around this issue, run the Mellanox sx_api_resource_manager_dump_all.py debug utility:

cumulus@mlx-2700-08:~$ sudo sx_api_resource_manager_dump_all.py > tmp-cl-resq
cumulus@mlx-2700-08:~$ cat tmp-cl-resq
[+] opening sdk 
[0/1847] sx_api_open handle:0x14c3724 , rc 0 HW Table Utilization Utilization for HW resource TCAM is 42.9 Utilization for HW resource KVD Hash is 69.9 Utilization for HW resource KVD Linear is 49.9 Utilization for HW resource PGT is 0.0 Utilization for HW resource Flow Counter is 0.0 Utilization for HW resource ACL Regions is 1.0 Logical Free Entries Count ============================================================ | Resource| Free Entries| ============================================================ | UC MAC Table | 67181| | MC MAC Table | 67181| | FIB IPV4 UC Table | 132628| | FIB IPV6 UC Table | 95802| | FIB IPV4 MC Table | 2288| | ARP IPV4 Table | 32569| | ARP IPV6 Table | 12292| | Unicast Adjacency Table| 8197| | L2 MC VECTORS Table | 6999| | ACL Extended Actions Table | 8197| | ACL PBS Table| 8197| | eRIF List | 8197| | ILM Table| 67181| | VLAN Table| 1| | VPorts Table| 67181| | FID Table| 16362| | Policy Based MPLS ILM Table| 8197| | ACL Regions| 396| | ACL Rules 18B Key| 2254| | ACL Rules 32B Key| 1024| | ACL Rules 54B Key| 1022| | RIF Counter Basic| 3276| | RIF Counter Enhanced| 1092| | Flow Counter| 2048| | ACL GROUPS Table | 396| Logical Table Utilization ================================================================================================ | Resource| HW Table|Logical Entries | HW Entries| Utilization(%)| ================================================================================================ | UC MAC Table | KVD Hash| 43| 43| 0.0| | FIB IPV4 UC Table | KVD Hash| 89| 65790| 26.5| | FIB IPV6 UC Table | KVD Hash| 51| 28926| 11.6| | FIB IPV4 MC Table | TCAM | 0| 192| 1.1| | ARP IPV4 Table | KVD Hash| 199| 32768| 13.2| | ARP IPV6 Table | KVD Hash| 4092| 32768| 179.6| | Unicast Adjacency Table| KVD Linear| 8187| 8187| 49.9| | VPorts Table| KVD Hash| 0| 22| 0.0| | FID Table| KVD Hash| 22| 22| 0.0| | ACL Regions| ACL Regions| 4| 4| 1.0| | ACL Rules 18B Key| TCAM | 2| 64| 0.3| | ACL Rules 54B Key| TCAM | 2| 5760| 35.1| | ACL GROUPS Table |ACL Group Table| 4| 400| 100.0| cumulus@mlx-2700-08:~$

This is a known issue that is currently being investigated.


RN-993 (CM-20585)
Routes learned via EVPN clouds do not get summarized

Routes that are learned from an EVPN cloud don't get summarized. Only routes that reside on or are owned by a switch get summarized.

This is a known issue and should be fixed in a future release of Cumulus Linux.


RN-994 (CM-21332)
switchd doesn't assign a gport for a VLAN subinterface

When two VLAN subinterfaces are bridged to each other in a traditional mode bridge, switchd doesn't assign a gport to the subinterface, even though a gport is expected for each VLAN subinterface.

To work around this issue, you can do one of two things:

  • Add a VXLAN on the bridge so it does not require real tunnel IP address.
  • Separate the ingress and egress functions across two physical ports.

This is a known issue that is currently being investigated.


RN-995 (CM-21373)
Debian Security advisory DSA-4231-1/CVE-2018-0495 for libgcrypt20 package

Debian issued the following security advisory, DSA-4231-1, which affects the libgcrypt20 package. This advisory applies only to the the Debian Stretch release.

Debian Jessie, upon which Cumulus Linux 3.0 - 3.6.2 is based, is vulnerable, but the vulnerability has not been fixed upstream in Debian yet.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4231-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 17, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libgcrypt20

CVE ID : CVE-2018-0495

It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys.

For the stable distribution (stretch), this problem has been fixed in version 1.7.6-2+deb9u3.

We recommend that you upgrade your libgcrypt20 packages.

For the detailed security status of libgcrypt20 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libgcrypt20

This issue will be fixed in a future version of Cumulus Linux when a fix made available for Debian Jessie.


RN-996 (CM-21379)
Floating static route is not installed into the FIB when the primary route becomes unavailable

If a primary route becomes unavailable (for example, you run ifdown on the switch port), the backup route remains inactive and is not installed into FIB.

To work around this issue, configure routes as ECMP:

cumulus@switch:~$ net del routing route 4.1.1.0/24 1.1.1.1 10
cumulus@switch:~$ net add routing route 4.1.1.0/24 1.1.1.1
cumulus@switch:~$ net commit

This is a known issue that is currently being investigated.


RN-997 (CM-21393)
A VXLAN implementation is using a UDP source port lower than 1024

Because VXLAN encapsulation uses a full range of source ports, it is possible for Cumulus Linux switches to generate packets with UDP source ports numbered lower than 1023. This might result in the traffic being mishandled in your network if you have rules in place to handle this traffic differently. For example, you might have DSCP setup for this port range.

To work around this issue, avoid using the well known port range for sourcing VXLAN traffic.

This is a known issue that is currently being investigated.


RN-998 (CM-21398)
Creating a MGMT ACL via NCLU results in a FORWARD entry

If you use NCLU to configure an ACL for eth0, you cannot designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.

This is a known issue that is currently being investigated.


RN-1000 (CM-21454)
Creating a new traditional mode bridge causes temporary traffic loss

Sometimes when creating a new bridge in traditional mode, an outage of 20-30 seconds can occur when running ifreload. This issue is more noticeable if you add and remove traditional bridges multiple times a day. The outage is long enough to drop BGP and OSPF sessions running through the switch. However, ifreload debug logs show everything is normal, that no interfaces are going down.

This is a known issue that is currently being investigated.


RN-1002 (CM-21556)
FRR next-hop resolution changes are not updated when applying a VRF to an interface after routes are configured in FRR

When adding new SVIs and static VRF routes in FRR, the appropriate VRF is applied to the interface in the kernel after the static routes are configured in FRR. When the kernel interface changes to the appropriate VRF, FRR next-hop resolution is not updated with the valid connected next-hop interface.

To work around this issue, remove and re-add the static routes.

This is a known issue that is currently being investigated.


RN-1003 (CM-21511)
IGMP queries are not sent if a VXLAN is declared before the bridge in /etc/network/interfaces

If a VNI is configured before the bridge in /etc/network/interfaces, the switch does not send IGMP queries.

To work around this issue, edit the /etc/network/interfaces file to define the bridge before the VNI. For example:

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto lo
iface lo inet loopback
    address 10.26.10.11/32

auto swp9
iface swp9
  bridge-access 100

auto swp10
iface swp10
    bridge-access 100 

auto bridge
iface bridge
   bridge-ports swp9 swp10 vni-10
   bridge-vids 100
   bridge-vlan-aware yes
   bridge-mcquerier 1

auto vni-10
iface vni-10
    vxlan-id 10
    vxlan-local-tunnelip 10.0.0.11
    bridge-access 100

auto bridge.100
vlan bridge.100
  bridge-igmp-querier-src 123.1.1.1

auto vlan100
iface vlan100
    address 10.26.100.2/24
    vlan-id 100
    vlan-raw-device bridge

This is a known issue that is currently being investigated.


RN-1004 (CM-21496)
Scalability of redistribute neighbor limits the number of supported hosts

A Cumulus Linux switch cannot manage Docker containers running on 500 hosts. Entries in table 10 start to expire and are removed from the table.

To work around this issue, modify the ebtable rules for set-rate and set-burst, increasing their values until the issue is resolved. For example, configure set-rate=1200 and set-burst=300.

This is a known issue that is currently being investigated.


RN-1027 (CM-21707)
On Maverick switches, enabling auto-negotiation on 10G (all) and 1G SFP RJ45 breaks the link

On a Maverick switch, if auto-negotiation is configured on a 10G interface and the installed module does not support auto-negotiation (for example, 10G DAC, 10G Optical, 1G RJ45 SFP), the link breaks.

To work around this issue, disable auto-negotiation on interfaces where it is not supported. See the Interface Configuration Recommendations for information about configuring auto-negotiation.

This is a known issue that is currently being investigated.


RN-1036 (CM-21853)
Trident 3 switch does not send out sflow flow samples

The Trident 3 switch does not send out sflow flow samples; only counter samples are sent.

This is a known issue that is currently being investigated.


RN-1039 (CM-22045)
SNMPv3 Trap passwords and encryption keys longer then 16 characters might cause snmpd to core dump

SNMPv3 TRAP passwords or encryption keys longer then 16 characters might result in a core dump. For example:

net add snmp-server trap-destination 3.3.3.3 username 
verlongtrapusername auth-md5 verylongmd52345678901234567890 
encrypt-aes verylongencrypt567890123456789012345678 
engine-id 0x80001f8880f49b75319690895b00000000

# this results in a core dump:
root@cel-redxp-01:/home/cumulus# systemctl status  snmpd
   snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/lib/systemd/system/snmpd.service; enabled)
   Active: failed (Result: core-dump) since Wed 2018-09-05 16:18:05 UTC; 1min 25s ago
  Process: 21163 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=dumped, signal=SEGV)
 Main PID: 21163 (code=dumped, signal=SEGV)
Sep 05 16:18:05 cel-redxp-01 systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..

Sep 05 16:18:05 cel-redxp-01 systemd[1]: snmpd.service: main process exited, code=dumped, status=11/SEGV
Sep 05 16:18:05 cel-redxp-01 systemd[1]: Unit snmpd.service entered failed state.

To work around this issue, use SNMPv3 TRAP passwords and encryption keys that are 16 characters or shorter.

This is a known issue that is currently being investigated.


RN-1051 (CM-21678)
On Dell switches with Maverick ASICs, "Die Temp Sensor" errors are seen and the state changes to ABSENT

On a Dell switch with a Maverick ASIC, NetQ might receive false alerts like the following via PagerDuty:

cumulus@switch:~$ netq show sensors temp changes | grep absent | grep -v psu 
P2Leaf01 temp9 networking asic die temp sensor absent 43 105 100 5 Unable to find driver path: /cumulu Add 7d:22h:1m:41s 
P2Leaf01 temp6 networking asic die temp sensor absent 45 105 100 5 Unable to find driver path: /cumulu Add 7d:22h:1m:41s 
P2Leaf01 temp6 networking asic die temp sensor absent 47 105 100 5 Unable to read temp4_highest Add 9d:23h:26m:6s 
P2Leaf01 temp6 networking asic die temp sensor absent 45 105 100 5 Unable to read temp4_highest Add 14d:22h:46m:45s 
MSpine01 temp10 networking asic die temp sensor absent -273 105 100 5 Unable to read temp8_input Add 17d:20h:59m:31s 
P1Leaf01 temp10 networking asic die temp sensor absent 44 105 100 5 Unable to find driver path: /cumulu Add 7d:22h:29m:19s 
P1Leaf01 temp10 networking asic die temp sensor absent 43 105 100 5 Unable to find driver path: /cumulu Add 13d:18h:29m:27s 

This message might occur as a result of a timeout at the hardware level, or the switch might be reporting a failure to get a response.

This is a known issue that is currently being investigated.


RN-1062 (CM-22450)
Input chain ACLs do not apply in hardware on Broadcom platforms

Input chain ACLs do not apply in hardware on Broadcom platforms and input packets are processed against rules in the kernel instead. This can result in rules with the drop action not applying in hardware and the packets reaching the kernel.

This is a known issue that is currently being investigated.


RN-1063 (CM-22386)
In OVSDB server high availability mode, the host receives duplicate BUM packets from the service node on VX

The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peerlink. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.

This is a known issue that is currently being investigated.


RN-1066 (CM-22290)
With dynamic route leaking, software forwarding of packets between connected source and destination fails

When using dynamic route leaking, software forwarding of packets fails between the connected source and destination.

To work around this issue, configure the leak on a switch that does not have any locally-connected hosts.

This is a known issue that is currently being investigated.


RN-1067 (CM-22287)
Traffic stops for about four seconds when the ECMP link goes down

When a layer 3 ECMP path is brought down on the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes.

To work around this issue, change ACL to run in non-atomic mode.

This is a known issue that is currently being investigated.


RN-1069 (CM-21781)
The clagd service remains in a failed state when the peerlink's parent interface does not exist

The clagd service can get stuck in a reset or failed state (status = -1) when the parent interface of the peerlink does not exist.

To work around this issue, restart the clagd service:

cumulus@switch:~$ sudo systemctl restart clagd.service

This is a known issue that is currently being investigated.


RN-1070 (CM-22371)
Improperly directed traffic when there is a change of input interface for PBR on the Spectrum ASIC

When programming policy-based routing (PBR), if you change the input interface from a physical interface to a subinterface, the traffic is not properly redirected. You must flap the nexthop interface to reprogram the PBR.

This is a known issue that is currently being investigated.


RN-1071 (CM-22345)
Redirected traffic increments INPUT ACL rule counter but does not perform an action

If a packet to an unknown IP address (but known network) enters the switch and matches an INPUT ACL rule, it is redirected for ARP and the counters increment for that rule, but it does not perform the action. This only happens until the ARP reply is sent, and then the traffic is forwarded properly.

To work around this issue, change the rules to INPUT,FORWARD instead of INPUT. Drops should then be logged properly.

This is a known issue that is currently being investigated.


RN-1073 (CM-22301)
Multicast packets exiting tunnels and going to the CPU might need separate policers on Broadcom VXLAN RIOT

For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.

A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.

To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.

This is a known issue that is currently being investigated.


RN-1074 (CM-22145)
The `net show configuration files` command does not include /etc/restapi.conf

The /etc/restapi.conf file is not listed in the net show configuration files command output.

This is a known issue that is currently being investigated.


RN-1075 (CM-21795)
On an Edgecore AS4610 or AS5812, after inserting a 1G LX module or rebooting the switch with it installed, no traffic is passed on the link if autoneg is enabled

If you insert a 1G LX module into an Edgecore 4610 or 5812 switch or reboot the switch with this module installed, no traffic is passed on the switch port when auto-negotiation is enabled. Flapping the link down or up does not repair it.

To work around this issue, disable auto-negotiation, then re-enable it to repair the link; otherwise, disable auto-negotiation permanently. For example, if swp1 has the 1G module, disable then re-enable auto-negotiation as follows:

cumulus@switch:~$ net add interface swp1 link autoneg off
cumulus@switch:~$ net commit
cumulus@switch:~$ net add interface swp1 link autoneg on
cumulus@switch:~$ net commit

This is a known issue that is currently being investigated.


RN-1076 (CM-22138)
The `net show system` command does not show port and chip information on the Edgecore OMP-800 switch

When you run the NCLU net show system command or the NetQ netq inventory command on the Edgecore OMP-800 switch, the output does not show any port or chip information.

This is a known issue that is currently being investigated.


RN-1077 (CM-22274)
Configuration of import and export route targets for VNIs in EVPN differs between layer 2 and layer 3

To ease interoperation with non-Cumulus devices, it is possible to configure the route-target import and export values under the layer 2 VNI EVPN configuration. The same configuration does not work for both layer 2 VNI and layer 3 VNI. Set the EVPN address-family within the VNI context when configuring the route-target in layer 2 VNI. Set the EVPN address-family without the VNI context when configuring the route-target in layer 3 VNI.

This is a known issue that is currently being investigated.


RN-1078 (CM-22157)
On the Tomahawk+ switch, switchd fails on restart after configuring 2x50G in ports.conf

On Tomahawk+ switches, the switchd process is unable to restart after configuring 2x25G in the /etc/cumulus/ports.conf file.

This is a known issue that is currently being investigated.


RN-1079 (CM-22004)
ARP reply packets are flooded to all remote VTEPs when the packet arrives on a different MLAG peer

ARP reply packets are flooded to all remote VTEPs when the ARP reply arrives on a different MLAG peer than the one where the permanent MAC exits.

To work around this issue:

    1. Manually define the MAC address for the SVI.
      The MAC address allocated to the SVI is inherited by the bridge (by default). The bridge inherits the MAC address from a physical interface (swp*). This inheritance might result in a different SVI MAC address after a reboot (for example, a configuration change might result in the port being removed from the bridge).
      For this example, the MAC address of SVI vlan123 is statically configured as sw01 = MM:MM:MM:11:11:11 and sw02 = MM:MM:MM:22:22:22.
    2. Program a static entry on sw01 pointing to sw02 over the peerlink bond in VLAN 123:
      iface vlan123
      post-up bridge fdb add MM:MM:MM:22:22:22 dev peerlink vlan 123 master static
    3. Configure a static MAC address on sw02 pointing to the SVI owned by sw01 over the peerlink bond in VLAN 123:
      iface vlan123
      post-up bridge fdb add MM:MM:MM:11:11:11 dev peerlink vlan 123 master static
    4. Repeat steps above for each VLAN.

This is a known issue that is currently being investigated.


RN-1080 (CM-21997)
The VRF membership for a VRR interface fails to update in the Mellanox SDK

The VRF membership for a VRR interface fails to update. This issue does not affect SVI (non-v0) interfaces.

To work round this issue, reboot the switch or remove the VRR IP address and reconfigure it. For example:

cumulus@switch:~$ net del vlan 120 ip address-virtual 
cumulus@switch:~$ net commit 
cumulus@switch:~$ net add vlan 120 ip address-virtual 00:00:00:00:01:20 10.120.0.254/24 
cumulus@switch:~$ net commit

This is a known issue that is currently being investigated.


RN-1081 (CM-22268)
On Mellanox switches, BFD rules configured in `00control_plane.rules` have no effect

Configuring BFD policies in the 00control_plane.rules file on Mellanox switches has no effect.

This is a known issue that is currently being investigated.


RN-1082 (CM-22257)
You can add ports as bridge ports multiple times with NCLU

When you add ports as bridge ports multiple times with the NCLU cmmand, the commits succeed without error.

To work around this issue, remove the extra interfaces with the net del bridge bridge ports <interface> command.

This is a known issue that is currently being investigated.


RN-1083 (CM-21898)
On a Trident3 switch, IGMP traffic does not match the IGMP rule in the 00control file, but matches on the unknown multicast rule in catchall instead

On a Trident3 switch, IGMP packets are not getting policed by the police rule in the 00control ACL file. The packets are policed by the catchall policer in 99control ACL file instead.

-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100

To work around this issue, let the CPU bound IGMP packet hit the following rule and change the policer rate to a desired value for IGMP packets:

-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100

Typically, the destination MAC address 01:00:5e:xx:xx:xx is used only for PIM/IGMP control and data stream packets. However, this workaround cannot handle data stream multicast packets that are not TCP/UDP.

This is a known issue that is currently being investigated.


RN-1085 (CM-22237)
NCLU SNMP configuration does not start the SNMP server

When you configure SNMP with NCLU commands, the SNMP server does not restart and you see a warning:

WARNING: snmpd is not running.  Run "journalctl -u snmpd" for error messages.

To work around this issue, start SNMP manually.

This is a known issue that is currently being investigated.


RN-1086 (CM-21927)
In QinQ mode on a Mellanox switch, when a switch port is moved from a bond to a non-bond state, individual VLANs are not programmed on ports after running `ifreload`

When running ifreload after updating an interface configuration, sometimes VLANs are not programmed into the hardware data plane. The Linux control plane looks normal but the VLAN has not been programmed into the hardware and packets that arrive for it are dropped.

To work around this issue remove and re-add the affected VLANs from the port.

This is a known issue that is currently being investigated.


RN-1087 (CM-22206)
Mellanox ERSPAN not working with VXLAN

ERSPAN does not work when using VXLAN on Mellanox switches.

This is a known issue that is currently being investigated.


RN-1089 (CM-22205)
If FRR is restarted while a user is in vtysh, the running configuration shows empty

If a user is in vtysh when FRR is restarted, the running configuration in that vtysh session shows empty.

This is a known issue that is currently being investigated.


RN-1090 (CM-21909)
Invalid temperature warning on QuantaMesh BMS T4048-IX8 switch

This issue occurs when Cumulus Linux is trying to access the temperature sensors on the ASIC but it does not get a reply back.

This is a known issue that is currently being investigated.


RN-1091 (CM-22466)
Resilient hashing on Broadcom Trident3 switch not fully supported

Full support for resilient hashing on Broadcom Trident3 switches is not yet available.

This is a known issue that is currently being investigated.


RN-1092 (CM-22443)
IEEE 802.1X Support for management VRF

Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed.

This issue is currently being investigated.


RN-1094 (CM-22396)
On VXLAN and traditional bridges, frames are tagged with an internal VLAN on untagged interfaces

Frames are tagged with an internal VLAN on untagged interfaces on both a VXLAN and traditional bridge.

This is a known issue that is currently being investigated.


RN-1095 (CM-21813)
The NCLU `net add` and `net commit` commands edit the interfaces file even when the interface configuration is not changed

The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes.

This is a known issue that is currently being investigated.


RN-1096 (CM-22032)
On a Trident3 switch, cl-ecmpcalc returns a traceback error

On the Trident3 switch, cl-ecmpcalc returns invalid entries (two entries for MAC address 00:00:00:00:00:00) that cause script failures.

This is a known issue that is currently being investigated.


RN-1097 (CM-22228)
Virtual counters not working on Trident II+ switches

Counters associated with VLANs and VRFs are not working on Trident II+ switches.

This is a known issue that is currently being investigated.


RN-1098 (CM-22069)
On Tomahawk switches, the hardware MAC entry is not updated on native VLAN changes

On a Tomahawk switch with VXLAN-enabled VLANs, if the native VLAN on a port is changed, the GPORT associated with a MAC address in that VLAN is incorrect.

This is a known issue that is currently being investigated.


RN-1099 (CM-22229)
In EVPN, IPv6 remote prefixes are sometimes not installed and ping between switches in the tenant VRF context fails

Pings between VTEPs in a tenant VRF context do not succeed consistently. This applies to both IPv4 and IPv6 pings.

To verify connectivity and forwarding in a tenant VRF, Cumulus Networks recommends that you ping between tenant hosts or between a tenant host and a switch.

This is a known issue that is currently being investigated.


RN-1100 (CM-22187)
In FRRouting, the BGP aggregate-address statement is ignored when the network statement uses the same IP address

If you start FRRouting and your configuration has a BGP IPv4 network statement that is the same as an aggregate-address statement, then the aggregate is not announced.

For example, if you have the following FRR configuration:

network 172.16.250.0/24
aggregate-address 172.16.250.0/24

Then that network is not advertised unless the 172.16.250.0/24 (exactly) is in the RIB. The issue does not happen if the network statement does not exactly match the aggregate-address statement (including super and subnets).

To work around this issue, remove the matching network statement.

This issue is fixed in the upstream version of FRR.


RN-1101 (CM-22216)
On Mellanox switches, RASH with VXLAN is not moving flows when losing the ECMP path

When RASH is enabled and an ECMP path is taken away using the ip link set <swp> down command, traffic using that ECMP path is never moved to another path and is dropped permanently.

This is a known issue that is currently being investigated.


RN-1102 (CM-22121)
On a Mellanox switch configured for ECMP resilient hashing, "No more resources" errors are seen

This is due to a limitation between Cumulus Linux and the Mellanox hardware. Currently, on a Mellanox switch, Cumulus Linux supports only 4 ECMP containers with 1000 hash entries per container.

This is a known issue that is currently being investigated.


RN-1103 (CM-22417)
MPLS packets are not being forwarded over the MPLS fabric

MPLS packets are not forwarded over the MPLS fabric on a Mellanox switch.

This is a known issue that is currently being investigated.


RN-1104 (CM-22472)
MLAG anycast IP address not applied on the secondary switch after making changes

When clagd is running and you add or modify the MLAG VXLAN anycast IP address on the loopback using NCLU or by editing the configuration file, the changes are not applied. You need to restart clagd manually for the changes to be applied.


RN-1116 (CM-22509)
FRR reload does not apply changes to BGP aggregate addresses

If you change the BGP aggregate addresses using NCLU or by reloading the FRR service, the configuration is accepted, but the routes do not appear in the BGP table.

To work around this issue, manually change the BGP aggregate addresses in vtysh.

This is a known issue that is currently being investigated.


RN-1125 (CM-22540)
Cumulus Linux might be unable to read certain sensors on the Dell S5248F Trident3 switch

Due to changes made to the BMC firmware, Cumulus Linux might be unable to read certain sensors correctly on the Dell S5248F Trident3 switch; for example, the CPU temperature might appear as absent.

This issue should be fixed in the next release of Cumulus Linux.


RN-1197 (CM-23278)
Non-vagrant Cumulus VX images include an unneeded vagrant user

Cumulus VX images for versions 3.7.0 through 3.7.2 include a vagrant user, as the vagrant box format requires it in order to function. This user isn't needed and should be removed from the following Cumulus VX images:

  • cumulus-linux-3.7.0-vx-amd64-qemu.qcow2
  • cumulus-linux-3.7.0-vx-amd64-vbox.ova
  • cumulus-linux-3.7.0-vx-amd64-vmware.ova
  • cumulus-linux-3.7.1-vx-amd64-qemu.qcow2
  • cumulus-linux-3.7.1-vx-amd64-vbox.ova
  • cumulus-linux-3.7.1-vx-amd64-vmware.ova
  • cumulus-linux-3.7.2-vx-amd64-qemu.qcow2
  • cumulus-linux-3.7.2-vx-amd64-vbox.ova
  • cumulus-linux-3.7.2-vx-amd64-vmware.ova

To remove the vagrant user, run:

cumulus@switch:~$ sudo userdel [-r] vagrant

This issue will be fixed in Cumulus VX 3.7.3.


RN-1199 (CM-23499)
On Dell S5048F and Z9100 switches, the wrong driver might try to load and fails

On the Dell S5048F and Dell Z9100 switches, the MODULE_DEVICE_TABLE declaration enables the kernel to auto load the drivers on any platform with a Xilinx 7021 device. As a result, these switches might exhibit errors in their dmseg logs when trying to auto load an incompatible driver.

This is a known issue that is currently being investigated.


RN-1290 (CM-24196)
`snmpd` generates a core file when the service is stopped or restarted and the snmpd.conf file contains `trapsess` lines

The snmpd service fails and generates a core file when the service is stopped or restarted and there is a trapsess line configured in the snmpd.conf file.

To work around this issue, comment out the trapsess lines.

This is a known issue that is currently being investigated.


RN-1315 (CM-24330)
On a Mellanox switch, when you change the VRF membership on an SVI with VRR configured, the VRR MAC is not programmed into hardware

On a Mellanox switch, when you change the VRF membership of an interface with VRR enabled, the VRR MAC address is not properly programmed into hardware.

To work around this issue, delete and recreate the interface using ifup and ifdown.

This is a known issue that is currently being investigated.


RN-1423 (CM-20189)
clagd OSError: [Errno 12] Cannot allocate memory

Under certain conditions, the clagd process leaks memory, eventually crashes, and then restarts. During this time, traffic flows over this switch are impacted temporarily. The /var/log/clagd.log file shows a message similar to the following:

clagd[1824]: OSError: [Errno 12] Cannot allocate memory

This issue is being investigated at this time.


RN-1425 (CM-25001)
Debian Security Advisory DSA 4444-1, DSA-4447-1 for the linux kernel and microcode CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091

The following CVEs were announced in Debian Security Advisory DSA-444-1, DSA-4447-1
and affect the linux kernel and microcode.
-------------------------------------------------------------------------------------------
Debian Security Advisory DSA-4444-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 14, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------------------------
Package: linux
CVE ID: CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
Debian Bug: 928125
Multiple researchers have discovered vulnerabilities in the way the Intel processor designs have
implemented speculative forwarding of data filled into temporary microarchitectural structures (buffers).
This flaw could allow an attacker controlling an unprivileged process to read sensitive information, including
from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory.

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.
To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode.
An updated intel-microcode package (only available in Debian non-free) will be provided via a separate DSA. The updated
CPU microcode may also be available as part of a system firmware ("BIOS") update.
In addition, this update includes a fix for a regression causing deadlocks inside the loopback driver, which was introduced
by the update to 4.9.168 in the last Stretch point release.
For the stable distribution (stretch), these problems have been fixed in
version 4.9.168-1+deb9u2.
We recommend that you upgrade your linux packages.

For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux


RN-1444 (CM-25167)
The `clear bgp` command does not support multiple addres families and just clears IPv6 unicast

The clear bgp command does not support multiple address families. For example, the following command clears IPv6 unicast and ignores IPv4 unicast:

cumulus@switch:~$ clear bgp l2vpn evpn
To clear IPv4 unicast, use the clear ip bgp command. For example, the following command clears IPv4 unicast and ignores IPv6 unicast:
cumulus@switch:~$ clear ip bgp l2vpn evpn

This is a known issue that is currently being investigated.


RN-1455 (CM-24858)
On Broadcom switches,TPID programming is not reset on configuration change

On the Broadcom switch, TPID programming is not reset when there is a configuration change. As a result, you see unexpected packet drops.

This is a known issue that is currently being investigated.

The following issues were added on July 24, 2019.
     

RN-1317 (CM-23891)
Filesystem timeouts and read-only filesystem on hardware using 3IE3/3IE4/3ME3 SSDs

Some SSD (solid-state disk or flash) drive models — 3IE3, 3IE4 and 3ME3 — commonly used in network switches require the use of the TRIM command to function properly. By default, Cumulus Linux, like most other Linux distributions, does not enable TRIM. This command enables the operating system to keep the firmware up to date on empty areas of the drive to ensure that writes work correctly. Over time, without this notification, when extensive logging or debugging to the SSD is enabled, the firmware may take longer to perform write operations, which can in turn cause driver timeouts. These disk errors may eventually lead to the filesystem being mounted as read-only.

Cumulus Linux now detects drives that require TRIM and enables the discard option when creating the /etc/fstab file during the installation of the network operating system. The /etc/fstab file was also updated to enable the discard option when running apt-get upgrade to upgrade to Cumulus Linux 3.7.4 or later.

Cumulus Networks initially acknowledged this issue in this product bulletin.


RN-1492 (CM-24784)
NCLU command cannot delete BGP neighbor configuration if there is a VRF VNI mapping in the /etc/frr/frr.conf file

NCLU is unable to delete a BGP neighbor configuration if there is a VRF VNI mapping in the /etc/frr/frr.conf file. For example, the following NCLU command produces an error:

cumulus@leaf01$ net del bgp neighbor swp5 interface peer-group spine
'router bgp 65001' configuration does not have 'neighbor swp5 interface peer-group spine'

This is a known issue that is currently being investigated.

The following new issue was added on August 12, 2019.

RN-1521 (CM-25890)
switchd reports a MAC move from swpX to swpX instead of from swpX to swpY

The switchd service reports MAC moves from swpX to swpX instead of from swpX to swpY.

This is a known issue that is currently being investigated.

The following new issue was added on August 27, 2019.


RN-1524 (CM-25754)
ARP replies are not forwarded as VXLAN over VXLAN

A port that is used as both a double tag interface and a VXLAN access side interface does not forward correctly; VXLAN decapsulation is does not occur.

This is a known issue that is currently being investigated.


RN-1547 (CM-26169)
On Trident3 switches, QinQ with VLAN-aware bridge and MLAG does not work

On the Trident3 switch, Cumulus Linux does not map QinQ packets to VXLANs in a configuration with a VLAN-aware bridge and MLAG.

This is a known issue that is currently being investigated.

Have more questions? Submit a request

Comments

Powered by Zendesk