Overview
These release notes support Cumulus RMP 3.7.0 through 3.7.7 and describe currently available features and known issues.
New features, and known and fixed issues for Cumulus RMP 3.7.8 and later are included in the Cumulus Linux Release Notes.
Cumulus RMP 3.7 supports these features and is available on the Penguin Computing Arctica 4804IP-RMP, the Quanta QuantaMesh T1048-LY4R and CX RMP-T out-of-band switches.
Stay up to Date
- Sign in and click Follow above to receive a notification when we update these release notes.
- Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
- Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.
{{table_of_contents}}
What's New in Cumulus RMP 3.7
Cumulus RMP 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, and 3.7.7 contain bug fixes only. Cumulus RMP 3.7.6 has no new fixes.
Cumulus RMP 3.7.4 is no longer available due to severe issues that are resolved in Cumulus RMP 3.7.5.
Cumulus RMP 3.7.0 contains several bug fixes and the following new features:
- RADIUS Change of Authorization (CoA) requests
- RADIUS AAA local fallback authentication
- TACACS Plus local fallback authentication
- New NCLU commands:
- Show the version of a package
- Show the interface description (alias) for all interfaces on the switch
- Change bond mode to IEEE 802.3ad link aggregation mode
Install or Upgrade to Version 3.7
Whether you are installing Cumulus RMP 3.7 for the first time or upgrading from an earlier version, follow the steps in the Installation Management section of the Cumulus Linux User Guide.
Documentation
You can read the technical documentation here.
Issues Fixed in Cumulus RMP 3.7.7
The following is a list of issues fixed in Cumulus RMP 3.7.7 from earlier versions of Cumulus RMP.
Release Note ID | Summary | Description |
RN-1384 (CM-24805) |
Debian Security Advisory DSA-4436-1 for imagemagick CVE-2019-9956 CVE-2019-10650 |
The following CVEs were announced in Debian Security Advisory DSA-4436-1 and affect the imagemagick packages. This issue is fixed in Cumulus RMP 3.7.7. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4436-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------ This update fixes two vulnerabilities in Imagemagick: Memory handling problems and missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed TIFF or Postscript files are processed. For the stable distribution (stretch), these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u7. We recommend that you upgrade your imagemagick packages. For the detailed security status of imagemagick, refer to its security tracker page at: |
RN-1390 (CM-24645) |
Debian Security Advisory DSA-4433-1 for ruby2.3 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 |
The following CVEs were announced in Debian Security Advisory DSA-4433-1 and affect the ruby2.3 package. This issue is fixed in Cumulus RMP 3.7.7. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4433-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 16, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------- Package : ruby2.3 CVE ID : CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 Several vulnerabilities have been discovered in the Rubygems included in the interpreter for the Ruby language, which may result in denial of service or the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u6. We recommend that you upgrade your ruby2.3 packages. For the detailed security status of ruby2.3, refer to its security tracker page at: |
RN-1391 (CM-24644) |
Debian Security Advisory DSA-4432-1 for ghostscript CVE-2019-3835 CVE-2019-3838 |
The following CVEs were announced in Debian Security Advisory DSA-4432-1 and affect the ghostscript package. This issue is fixed in Cumulus RMP 3.7.7. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4432-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 16, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------- Package : ghostscript CVE ID : CVE-2019-3835 CVE-2019-3838 Debian Bug : 925256 925257 Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL PostScript/PDF interpreter, which could result in bypass of file system restrictions of the dSAFER sandbox. For the stable distribution (stretch), these problems have been fixed in version 9.26a~dfsg-0+deb9u2. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: |
RN-1392 (CM-24530) |
Debian Security Advisory DSA-4428-1 for systemd CVE-2019-3842 |
The following CVEs were announced in Debian Security Advisory DSA-4428-1 and affect the systemd package. This issue is fixed in Cumulus RMP 3.7.7. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4428-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 08, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------- Package : systemd CVE ID : CVE-2019-3842 Jann Horn discovered that the PAM module in systemd insecurely uses the environment and lacks seat verification permitting spoofing an active session to PolicyKit. A remote attacker with SSH access can take advantage of this issue to gain PolicyKit privileges that are normally only granted to clients in an active session on the local console. For the stable distribution (stretch), this problem has been fixed in version 232-25+deb9u11. This update includes updates previously scheduled to be released in the stretch 9.9 point release. We recommend that you upgrade your systemd packages. For the detailed security status of systemd, refer to its security tracker page at: |
RN-1393 (CM-24510) |
Debian Security Advisory DSA-4425-1 for wget CVE-2019-5953 |
The following CVEs were announced in Debian Security Advisory DSA-4425-1 and affect the wget package. This issue is fixed in Cumulus RMP 3.7.7. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4425-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 05, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------- Package : wget CVE ID : CVE-2019-5953 Debian Bug : 926389 Kusano Kazuhiko discovered a buffer overflow vulnerability in the handling of Internationalized Resource Identifiers (IRI) in wget, a network utility to retrieve files from the web, which could result in the execution of arbitrary code or denial of service when recursively downloading from an untrusted server. For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u3. We recommend that you upgrade your wget packages. For the detailed security status of wget, refer to its security tracker page at: |
RN-1399 (CM-23952) |
ifupdown2 user policy overrides do not apply if multiple files reference same module |
If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply. This issue is fixed in Cumulus RMP 3.7.7. |
RN-1410 (CM-24824) |
DHCP relay crashes with -nl flag when the server returns an offer |
The To work around this issue, remove the This issue is fixed in Cumulus RMP 3.7.7. |
RN-1445 (CM-25141) |
TACACS-authenticated users cannot use `net` commands even though mapped TACACs users are in the netedit and/or netshow groups |
A TACACS privilege level 15 user mapped to tacacs15 cannot use This issue is fixed in Cumulus RMP 3.7.7. |
RN-1460 (CM-25325) |
Debian Security Advisory DSA-4462-1 for dbus CVE-2019-12749 (part of systemd) |
The following CVEs were announced in Debian Security Advisory DSA-4462-1 and affect the dbus package. This issue is fixed in Cumulus RMP 3.7.7. ---------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4462-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 13, 2019 https://www.debian.org/security/faq ---------------------------------------------------------------------------------------------- Package : dbus CVE ID : CVE-2019-12749 Debian Bug : 930375 Joe Vennix discovered an authentication bypass vulnerability in dbus, an asynchronous inter-process communication system. The implementation of the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a symbolic link attack. A local attacker could take advantage of this flaw to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration are not affected by this vulnerability. The vulnerability was addressed by upgrading dbus to a new upstream version 1.10.28 which includes additional fixes. For the stable distribution (stretch), this problem has been fixed in version 1.10.28-0+deb9u1. We recommend that you upgrade your dbus packages. For the detailed security status of dbus, refer to its security tracker page at: |
RN-1461 (CM-24975) |
Debian Security Advisory DSA-4442-1 for ghostscript CVE-2019-3839 |
The following CVEs were announced in Debian Security Advisory DSA-4442-1 and affect the ghostscript package. This issue is fixed in Cumulus RMP 3.7.7. ---------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4442-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 12, 2019 https://www.debian.org/security/faq ---------------------------------------------------------------------------------------------- Package : ghostscript CVE ID : CVE-2019-3839 A vulnerability was discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed (despite the - -dSAFER sandbox being enabled). For the stable distribution (stretch), this problem has been fixed in version 9.26a~dfsg-0+deb9u3. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: |
RN-1462 (CM-24925) |
Debian Security Advisory DSA-4438-1 for atftp CVE-2019-11365 CVE-2019-11366 |
The following CVEs were announced in Debian Security Advisory DSA-4438-1 and affect the atftp package. This issue is fixed in Cumulus RMP 3.7.7. ---------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4438-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 07, 2019 https://www.debian.org/security/faq ---------------------------------------------------------------------------------------------- Package: atftp CVE ID: CVE-2019-11365 CVE-2019-11366 Debian Bug: 927553 Denis Andzakovic discovered two vulnerabilities in atftp, the advanced TFTP server which could result in denial of service by sending malformed packets. For the stable distribution (stretch), these problems have been fixed in version 0.7.git20120829-3.1~deb9u1. We recommend that you upgrade your atftp packages. For the detailed security status of atftp please refer to its security tracker page at: |
New Known Issues in Cumulus RMP 3.7.7
The following issues are new to Cumulus RMP and affect the current release.
Release Note ID | Summary | Description |
RN-1494 (CM-25487) |
Debian Security Advisory DSA 4475-1 for openssl CVE-2019-1543 |
The following CVEs were announced in Debian Security Advisory DSA-4475-1 and affect the openssl package. There is no fix currently planned for this issue. ---------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4475-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 01, 2019 https://www.debian.org/security/faq ---------------------------------------------------------------------------------------------- Package: openssl CVE ID: CVE-2019-1543 Joran Dirk Greef discovered that overly long nonces used with ChaCha20-Poly1305 were incorrectly processed and could result in nonce reuse. This doesn't affect OpenSSL-internal uses of ChaCha20-Poly1305 such as TLS. For the stable distribution (stretch), this problem has been fixed in version 1.1.0k-1~deb9u1. This DSA also upgrades openssl1.0 (which itself is not affected by CVE-2019-1543) to 1.0.2s-1~deb9u1 We recommend that you upgrade your openssl packages. For the detailed security status of openssl, refer to its security tracker page at: |
RN-1495 (CM-25801) |
Using `hostnamectl` or the `systemd-hostnamed` process fills syslog with constant kernel messages, such as `unregister_netdevice: waiting for lo to become free. Usage count = 2` |
When you run the This is a known issue that is currently being investigated. |
RN-1496 (CM-25783) |
`onie-install` stages the installer even if checksum validation fails |
Cumulus Linux installer images have a shell script that validates checksum integrity. When you run To work around this issue, perform your own checksum validation before staging a new image with This is a known issue that is currently being investigated. |
The following new issue was added on August 9, 2019. | ||
RN-1514 (CM-21354) |
Debian Security Advisory DSA-4213-1 for qemu CVE-2017-5715 CVE-2017-15038 CVE-2017-15119 CVE-2017-15124 CVE-2017-15268 CVE-2017-15289 CVE-2017-16845 CVE-2017-17381 CVE-2017-18043 CVE-2018-5683 CVE-2018-7550 |
The following CVEs were announced in Debian Security Advisory DSA-4213-1 and affect the qemu package. ------------------------------------------------------------------------------------- Debian Security Advisory DSA-4213-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 29, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------------------- Package: qemu CVE ID: CVE-2017-5715 CVE-2017-15038 CVE-2017-15119 CVE-2017-15124 CVE-2017-15268 CVE-2017-15289 CVE-2017-16845 CVE-2017-17381 CVE-2017-18043 CVE-2018-5683 CVE-2018-7550 Debian Bug: 877890 880832 880836 882136 883399 883625 884806 886532 887392 892041 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2017-15038 Tuomas Tynkkynen discovered an information leak in 9pfs. CVE-2017-15119 Eric Blake discovered that the NBD server insufficiently restricts large option requests, resulting in denial of service. CVE-2017-15124 Daniel Berrange discovered that the integrated VNC server insufficiently restricted memory allocation, which could result in denial of service. CVE-2017-15268 A memory leak in websockets support may result in denial of service. CVE-2017-15289 Guoxiang Niu discovered an OOB write in the emulated Cirrus graphics adaptor which could result in denial of service. CVE-2017-16845 Cyrille Chatras discovered an information leak in PS/2 mouse and keyboard emulation which could be exploited during instance migration. CVE-2017-17381 Dengzhan Heyuandong Bijunhua and Liweichao discovered that an implementation error in the virtio vring implementation could result in denial of service. CVE-2017-18043 Eric Blake discovered an integer overflow in an internally used macro which could result in denial of service. CVE-2018-5683 Jiang Xin and Lin ZheCheng discovered an OOB memory access in the emulated VGA adaptor which could result in denial of service. CVE-2018-7550 Cyrille Chatras discovered that an OOB memory write when using multiboot could result in the execution of arbitrary code. This update also backports a number of mitigations against the Spectre v2 vulnerability affecting modern CPUs (CVE-2017-5715). For additional information, refer to https://www.qemu.org/2018/01/04/spectre/ For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u4. We recommend that you upgrade your qemu packages. For the detailed security status of qemu, refer to its security tracker page at: |
New Known Issues in Cumulus RMP 3.7.6
The following issues affect Cumulus RMP 3.7.6.
Release Note ID | Summary | Description |
RN-1384 (CM-24805) |
Debian Security Advisory DSA-4436-1 for imagemagick CVE-2019-9956 CVE-2019-10650 |
The following CVEs were announced in Debian Security Advisory DSA-4436-1 and affect the imagemagick packages. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4436-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------ This update fixes two vulnerabilities in Imagemagick: Memory handling problems and missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed TIFF or Postscript files are processed. For the stable distribution (stretch), these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u7. We recommend that you upgrade your imagemagick packages. For the detailed security status of imagemagick, refer to its security tracker page at: |
RN-1385 (CM-23636) |
Debian Security Advisory DSA 4371-1 for apt CVE-2019-3462 |
The following CVEs were announced in Debian Security Advisory DSA-4436-1 and affect the imagemagick packages. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4371-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez January 22, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------- Max Justicz discovered a vulnerability in APT, the high level package manager. The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using: apt -o Acquire::http::AllowRedirect=false update apt -o Acquire::http::AllowRedirect=false upgrade The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using: apt -o Acquire::http::AllowRedirect=false update apt -o Acquire::http::AllowRedirect=false upgrade This is known to break some proxies when used against security.debian.org. If that happens, people can switch their security APT source to use deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main For the stable distribution (stretch), this problem has been fixed in version 1.4.9. |
RN-1390 (CM-24645) |
Debian Security Advisory DSA-4433-1 for ruby2.3 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 |
The following CVEs were announced in Debian Security Advisory DSA-4433-1 and affect the ruby2.3 package. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4433-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 16, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------- Package : ruby2.3 CVE ID : CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 Several vulnerabilities have been discovered in the Rubygems included in the interpreter for the Ruby language, which may result in denial of service or the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u6. We recommend that you upgrade your ruby2.3 packages. For the detailed security status of ruby2.3, refer to its security tracker page at: |
RN-1391 (CM-24644) |
Debian Security Advisory DSA-4432-1 for ghostscript CVE-2019-3835 CVE-2019-3838 |
The following CVEs were announced in Debian Security Advisory DSA-4432-1 and affect the ghostscript package. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4432-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 16, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------- Package : ghostscript CVE ID : CVE-2019-3835 CVE-2019-3838 Debian Bug : 925256 925257 Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL PostScript/PDF interpreter, which could result in bypass of file system restrictions of the dSAFER sandbox. For the stable distribution (stretch), these problems have been fixed in version 9.26a~dfsg-0+deb9u2. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: |
RN-1392 (CM-24530) |
Debian Security Advisory DSA-4428-1 for systemd CVE-2019-3842 |
The following CVEs were announced in Debian Security Advisory DSA-4428-1 and affect the systemd package. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4428-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 08, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------- Package : systemd CVE ID : CVE-2019-3842 Jann Horn discovered that the PAM module in systemd insecurely uses the environment and lacks seat verification permitting spoofing an active session to PolicyKit. A remote attacker with SSH access can take advantage of this issue to gain PolicyKit privileges that are normally only granted to clients in an active session on the local console. For the stable distribution (stretch), this problem has been fixed in version 232-25+deb9u11. This update includes updates previously scheduled to be released in the stretch 9.9 point release. We recommend that you upgrade your systemd packages. For the detailed security status of systemd, refer to its security tracker page at: |
RN-1393 (CM-24510) |
Debian Security Advisory DSA-4425-1 for wget CVE-2019-5953 |
The following CVEs were announced in Debian Security Advisory DSA-4425-1 and affect the wget package. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4425-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 05, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------- Package : wget CVE ID : CVE-2019-5953 Debian Bug : 926389 Kusano Kazuhiko discovered a buffer overflow vulnerability in the handling of Internationalized Resource Identifiers (IRI) in wget, a network utility to retrieve files from the web, which could result in the execution of arbitrary code or denial of service when recursively downloading from an untrusted server. For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u3. We recommend that you upgrade your wget packages. For the detailed security status of wget, refer to its security tracker page at: |
RN-1394 (CM-24357) |
Debian Security Advisory DSA-4416-1 for wireshark CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214 |
The following CVEs were announced in Debian Security Advisory DSA-4416-1 and affect the wireshark package. ------------------------------------------------------------------------------------------- Debian Security Advisory DSA-4416-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 24, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------- Package: wireshark CVE ID: CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214 Debian Bug: 923611 It was discovered that Wireshark, a network traffic analyzer, contained several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE, ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of service. For the stable distribution (stretch), these problems have been fixed in version 2.6.7-1~deb9u1. We recommend that you upgrade your wireshark packages. For the detailed security status of wireshark, refer to its security tracker page at: |
RN-1399 (CM-23952) |
ifupdown2 user policy overrides do not apply if multiple files reference same module |
If multiple files reference the same module, ifupdown2 user-defined policy overrides do not apply. This is a known issue that is currently being investigated. |
RN-1405 (CM-24618) |
Apostrophe in interface alias causes netd failure |
If the interface alias contains a single or double quotation mark, or an apostrophe, the ERROR: No closing quotation See /var/log/netd.log for more details. This is a known issue that is currently being investigated. |
RN-1410 (CM-24824) |
DHCP relay crashes with -nl flag when the server returns an offer |
The To work around this issue, remove the This is a known issue that is currently being investigated. |
RN-1439 (CM-25298) |
Debian Security Advisory for vim modelines CVE-2019-12735 |
The following CVEs were announced in a Debian Security Advisory that affects vim modelines. Package: vim and neovim CVE ID: CVE-2019-12735 Debian Bugs: 930020, 930024 getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim. For the detailed security status, refer to the security tracker page at: https://security-tracker.debian.org/tracker/CVE-2019-12735 https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12735.html https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md Cumulus Networks recommends that you disable modelines in the the To check if you have modelines enabled, open vim and enter: :set modeline? If vim returns set modelines=0 set nomodeline modeline is enabled by default. Verify that you do not have any existing lines in |
RN-1440 (CM-25295) |
ifquery file syntax check does not return non-zero on failure |
The This is a known issue that is currently being investigated. |
RN-1442 (CM-25240) |
ifreload -a detects a mismatch on `address-virtual` if the leading zero is not included |
If the This is a known issue that is currently being investigated. |
RN-1445 (CM-25141) |
TACACS-authenticated users cannot use `net` commands even though mapped TACACs users are in the netedit and/or netshow groups |
A TACACS privilege level 15 user mapped to tacacs15 cannot use This is a known issue that is currently being investigated. |
RN-1448 (CM-25344) |
hsflowd fails with IPv6 disabled |
If you disable IPv6 on the switch, This is a known issue that is currently being investigated. |
RN-1468 (CM-25343) |
Debian Security Advisory DSA-4465-1 for linux kernel CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884 |
The following CVEs were announced in Debian Security Advisory DSA-4465-1 and affect the linux kernel. https://www.debian.org/security/ Salvatore Bonaccorso June 17, 2019 https://www.debian.org/security/faq Package: linux This issue will be fixed in a future release. |
Issues Fixed in Cumulus RMP 3.7.5
The following is a list of issues fixed in Cumulus RMP 3.7.5 from earlier versions of Cumulus RMP.
Release Note ID | Summary | Description |
RN-1355 (CM-23829) |
Debian Security Advisory DSA-4387-1 and -2 for openssh CVE-2018-20685 CVE-2019-6109 CVE-2019-6111 |
The following CVEs were announced in Debian Security Advisory DSA-4387-1 and affect the openssh package. This issue is fixed in Cumulus RMP 3.7.5. --------------------------------------------------------------------------------------- Debian Security Advisory DSA-4387-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez February 09, 2019 https://www.debian.org/security/faq ---------------------------------------------------------------------------------------- Package: openssh CVE ID: CVE-2018-20685 CVE-2019-6109 CVE-2019-6111 Debian Bug: 793412 919101 Harry Sintonen from F-Secure Corporation discovered multiple vulnerabilities in OpenSSH, an implementation of the SSH protocol suite. All the vulnerabilities are in found in the scp client implementing the SCP protocol. CVE-2018-20685 Due to improper directory name validation, the scp client allows servers tovmodify permissions of the target directory by using empty or dotvdirectory name. CVE-2019-6109 Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred. CVE-2019-6111 Due to scp client insufficient input validation in path names sent by server, a malicious server can do arbitrary file overwrites in target directory. If the recursive (-r) option is provided, the server can also manipulate subdirectories as well. The check added in this version can lead to regression if the client and the server have differences in wildcard expansion rules. If the server is trusted for that purpose, the check can be disabled with a new -T option to the scp client. For the stable distribution (stretch), these problems have been fixed in version 1:7.4p1-10+deb9u5. We recommend that you upgrade your openssh packages. For the detailed security status of openssh please refer to its security tracker page at: |
RN-1368 (CM-24043) |
Debian Security Advisory DSA-4400-1 for openssl CVE-2019-1559 |
The following CVEs were announced in Debian Security Advisory DSA-4400-1 and affect the openssl package. This issue is fixed in Cumulus RMP 3.7.5. --------------------------------------------------------------------------------------- Debian Security Advisory DSA-4400-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 28, 2019 https://www.debian.org/security/faq ---------------------------------------------------------------------------------------- Package : openssl1.0 CVE ID : CVE-2019-1559 Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL. For the stable distribution (stretch), this problem has been fixed in version 1.0.2r-1~deb9u1. We recommend that you upgrade your openssl1.0 packages. For the detailed security status of openssl1.0, refer to its security tracker page at: |
Issues Fixed in Cumulus RMP 3.7.4
The following is a list of issues fixed in Cumulus RMP 3.7.4 from earlier versions of Cumulus RMP.
Release Note ID | Summary | Description |
RN-1203 (CM-23535) |
Debian Security Advisory DSA-4367-1 for systemd CVE-2018-16865 |
The following CVEs were announced in Debian Security Advisory DSA-4367-1 and affect the systemd package. This issue is fixed in Cumulus RMP 3.7.4. ----------------------------------------------------------------------------------- Debian Security Advisory DSA-4367-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 13, 2019 https://www.debian.org/security/faq ----------------------------------------------------------------------------------- Package: systemd CVE ID: CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 Debian Bug: 918841 918848 The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw leading to an information leak (CVE-2018-16866), could allow an attacker to cause a denial of service or the execution of arbitrary code. Further details in the Qualys Security Advisory at https://www.qualys.com/2019/01/09/system-down/system-down.txt For the stable distribution (stretch), these problems have been fixed in version 232-25+deb9u7. We recommend that you upgrade your systemd packages. For the detailed security status of systemd, refer to its security tracker page at: |
RN-1251 (CM-23701) |
cl-acltool fails to install multiple rules as ordered set |
ACL install is sensitive to the ordering of the LOG/DROP rules. For example, an ACL [iptables] -A FORWARD -s 192.0.2.10,192.0.2.11 -j LOG -A FORWARD -s 192.0.2.10,192.0.2.11 -j DROP fails to install with the following error message from error: hw sync failed (Cannot process iptables,FORWARD,78,Rule with LOG must be followed by same rule with DROP) This happens because This issue is fixed in Cumulus RMP 3.7.4. |
RN-1252 (CM-23700) |
cl-acltool does not install LOG rules if the source or destination has multiple comma-separated prefixes |
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " -A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP You see errors similar to the following: error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG must be followed by same rule with DROP) error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with LOG must be followed by same rule with DROP) This issue is fixed in Cumulus RMP 3.7.4. |
RN-1336 (CM-22572) |
Debian Security Issue for the Linux kernel CVE-2018-17182 |
The following CVEs were announced and affect the Linux kernel: https://security-tracker.debian.org/tracker/CVE-2018-17182 for debian. This issue is fixed in Cumulus RMP 3.7.4. |
RN-1337 (CM-24093) |
Logs do not describe which value failed to parse |
Currently if the BMC firmware encounters a value that it cannot parse, it logs the following message, which provides insufficient data to understand which value failed to parse correctly and, therefore, how to further investigate the issue. 2012-01-10T20:41:58.694892+09:00 spc-1am09-1-fb02 bmcd: unparsible sensor value "FAULT ALARM" 2012-01-12T07:08:33.694504+09:00 spc-1am09-1-fb02 bmcd: unparsible sensor value "FAULT ALARM" 2012-01-13T17:51:58.695336+09:00 spc-1am09-1-fb02 bmcd: unparsible sensor value "FAULT ALARM" 2012-01-13T19:31:03.692842+09:00 spc-1am09-1-fb02 bmcd: unparsible sensor value "FAULT ALARM" This issue is fixed in Cumulus RMP 3.7.4. |
RN-1339 (CM-23847) |
10/25g port limit error in syslog not clear |
On the platforms that require a port block to be configured as a set of 10G or 25G, if you do not configure the entire set, for example: 1=10G 2=25G 3=25G 4=10G when you restart This issue is fixed in Cumulus RMP 3.7.4. |
RN-1340 (CM-23920) |
Debian Security Advisory DSA-4393-1 for systemd CVE-2019-6454 |
The following CVEs were announced in Debian Security Advisory DSA-4393-1 and affect the systemd package. This issue is fixed in Cumulus RMP 3.7.4. ---------------------------------------------------------------------------------- Debian Security Advisory DSA-4393-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 18, 2019 https://www.debian.org/security/faq ---------------------------------------------------------------------------------- Package : systemd CVE ID : CVE-2019-6454 Chris Coulson discovered a flaw in systemd leading to denial of service. An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus. For the stable distribution (stretch), this problem has been fixed inversion 232-25+deb9u9. We recommend that you upgrade your systemd packages. For the detailed security status of systemd please refer to its security tracker page at: |
RN-1341 (CM-23793) |
Debian Security Advisory DSA 4386-1 for curl CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 |
The following CVEs were announced in Debian Security Advisory DSA-4386-1 and affect the curl package. This issue is fixed in Cumulus RMP 3.7.4. ---------------------------------------------------------------------------------- Debian Security Advisory DSA-4386-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini February 06, 2019 https://www.debian.org/security/faq ---------------------------------------------------------------------------------- Package : curl CVE ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 Multiple vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-16890 Wenxiang Qian of Tencent Blade Team discovered that the function handling incoming CVE-2019-3822 Wenxiang Qian of Tencent Blade Team discovered that the function creating an outgoing CVE-2019-3823 Brian Carpenter of Geeknik Labs discovered that the code handling the end-of-response for For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u9. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: |
Issues Fixed in Cumulus RMP 3.7.3
The following is a list of issues fixed in Cumulus RMP 3.7.3 from earlier versions of Cumulus RMP.
Release Note ID | Summary | Description |
RN-885 (CM-20530) |
NCLU 'net show interface' command shows 'NotConfigured' for unnumbered interfaces |
When an interface is configured for OSPF/BGP unnumbered, the This issue is fixed in Cumulus RMP 3.7.3. |
RN-1095 (CM-21813) |
The NCLU `net add` and `net commit` commands edit the interfaces file even when the interface configuration is not changed |
The NCLU This issue is fixed in Cumulus RMP 3.7.3. |
RN-1134 (CM-22589) |
NCLU `net show configuration commands` displays a syslog command with invalid syntax |
NCLU cumulus@switch:~$ net add syslog host ipv4 10.0.0.1 port udp 514 cumulus@switch:~$ net commit then run This issue is fixed in Cumulus RMP 3.7.3. |
RN-1142 (CM-22657) |
The NCLU `net show counters json` command fails with an error |
When you run the ERROR: Execution of the command failed. "/usr/cumulus/bin/cl-netstat -j" failed. Traceback (most recent call last): File "/usr/cumulus/bin/cl-netstat", line 292, in <module> cnstat_diff_print(cnstat_dict, cnstat_cached_dict, use_json) File "/usr/cumulus/bin/cl-netstat", line 135, in cnstat_diff_print print table_as_json(table) File "/usr/cumulus/bin/cl-netstat", line 62, in table_as_json header[3] : int(line[3]), ValueError: invalid literal for int() with base 10: 'Unknown' To work around this issue, run the following command to clear out the semaphore file created by cumulus@switch:~$ rm /tmp/cl-netstat-$UID/$UID This issue is fixed in Cumulus RMP 3.7.3. |
RN-1165 (CM-22802) |
The NCLU `bridge pvid` command does not add the interface to bridge ports |
When you run the This issue is fixed in Cumulus RMP 3.7.3. |
RN-1171 (CM-22950) |
Debian Security Advisory DSA-4335-1 for nginx issues CVE-2018-16843 CVE-2018-16844 CVE-2018-16845 |
The following CVEs were announced in Debian Security Advisory DSA-4335-1, and affect the nginx package. This issue is fixed in Cumulus RMP 3.7.3. ------------------------------------------------------------------------------------- Debian Security Advisory DSA-4335-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 08, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------------------------ Package : nginx CVE ID : CVE-2018-16843 CVE-2018-16844 CVE-2018-16845 Three vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could in denial of service in processing HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in the ngx_http_mp4_module module (used for server-side MP4 streaming). For the stable distribution (stretch), these problems have been fixed in version 1.10.3-1+deb9u2. We recommend that you upgrade your nginx packages. For the detailed security status of nginx please refer to its security tracker page at: |
RN-1206 (CM-23399) |
Debian Security Advisory DSA-4360-1 for libarchive CVE-2016-10209 CVE-2016-10349 CVE-2016-10350 CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 CVE-2018-1000877 CVE-2018-1000878 CVE-2018-1000880 |
The following CVEs were announced in Debian Security Advisory DSA-4360-1, and affect the libarchive package. This issue is fixed in Cumulus RMP 3.7.3. ------------------------------------------------------------------------------------- Debian Security Advisory DSA-4360-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 27, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------------------- Package: libarchive CVE ID: CVE-2016-10209 CVE-2016-10349 CVE-2016-10350 CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 CVE-2018-1000877 CVE-2018-1000878 CVE-2018-1000880 Multiple security issues were found in libarchive, a multi-format archive and compression library: Processing malformed RAR archives could result in denial of service or the execution of arbitrary code and malformed WARC, LHarc, ISO, Xar or CAB archives could result in denial of service. For the stable distribution (stretch), these problems have been fixed inversion 3.2.2-2+deb9u1. We recommend that you upgrade your libarchive packages. For the detailed security status of libarchive, refer to its security tracker page at: |
RN-1208 (CM-23350) |
PTMD shows the interface as `pass` when the link is down |
If an interface is correctly configured according to the This issue is fixed in Cumulus RMP 3.7.3. |
RN-1210 (CM-23310) |
KVM support for clock synchronization is missing in the Telemetry Server kernel |
The kvm-clock module is missing in the kernel on the telemetry server. The system clock only advances one second for approximately every ten real-time seconds that pass. This stops NTP from being able to synchronize the clock. This issue is fixed in Cumulus RMP 3.7.3. |
RN-1213 (CM-23266) |
Certain commands cause a traceback if the /etc/hostapd.conf file does not exist |
When the cumulus@switch:~$ net add interface swp1 link down cumulus@switch:~$ net pending cumulus@switch:~$ net commit cumulus@switch:~$ net del interface swp1 link down To work around this issue:
|
RN-1215 (CM-23203) |
ACL matching 0.0.0.0/32 installs as 0.0.0.0/0 |
Using an iptables rule (ACL) to block packets with a source IP address of exactly 0.0.0.0 unexpectedly drops all IPv4 packets. This issue is fixed in Cumulus RMP 3.7.3. Note: Cumulus Linux drops these packets by default and no rule is required. |
RN-1217 (CM-23126) |
Debian Security Advisory DSA-4349-1 for libtiff5 (tiff) CVE-2017-11613 CVE-2017-17095 CVE-2018-5784 CVE-2018-7456 CVE-2018-8905 CVE-2018-10963 CVE-2018-17101 CVE-2018-18557 CVE-2018-15209 CVE-2018-16335 |
The following CVEs were announced in Debian Security Advisory DSA-4349-1, and affect the libtiff5 package. This issue is fixed in Cumulus RMP 3.7.3. ------------------------------------------------------------------------------------- Debian Security Advisory DSA-4349-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 30, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------------------- Package: libtiff5 CVE ID: CVE-2017-11613 CVE-2017-17095 CVE-2018-5784 CVE-2018-7456 CVE-2018-8905 CVE-2018-10963 CVE-2018-17101 CVE-2018-18557 CVE-2018-15209 CVE-2018-16335 Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. For the stable distribution (stretch), these problems have been fixed in version 4.0.8-2+deb9u4. We recommend that you upgrade your tiff packages. For the detailed security status of tiff, refer to its security tracker page at: |
RN-1218 (CM-22974) |
Debian Security Advisory DSA-4338-1 for qemu CVE-2018-10839 CVE-2018-17962 CVE-2018-17963 |
The following CVEs were announced in Debian Security Advisory DSA-4338-1, and affect the qemu package. This issue is fixed in Cumulus RMP 3.7.3. ------------------------------------------------------------------------------------- Debian Security Advisory DSA-4338-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 11, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------------------- Package: qemu CVE ID: CVE-2018-10839 CVE-2018-17962 CVE-2018-17963 Debian Bug: 908682 910431 911468 911469 Integer overflows in the processing of packets in network cards emulated by QEMU, a fast processor emulator, could result in denial of service. In addition this update backports support to passthrough the new CPU features added in the intel-microcode update shipped in DSA 4273 to x86-based guests. For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u5. We recommend that you upgrade your qemu packages. For the detailed security status of qemu, refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ |
RN-1227 (CM-23135) |
When you bring down an virtual interface, then run ifreload -a, the interface comes back up |
Running This issue is fixed in Cumulus RMP 3.7.3. |
New Known Issues in Cumulus RMP 3.7.3
The following issues are new to Cumulus RMP and affect the current release.
Release Note ID | Summary | Description |
RN-1202 (CM-23398) |
Debian Security Advisory DSA 4359-1 for wireshark CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 CVE-2018-19622 CVE-2018-19623 CVE-2018-19624 CVE-2018-19625 CVE-2018-19626 CVE-2018-19627 CVE-2018-19628 |
The following CVEs were announced in Debian Security Advisory DSA-4359-1 and affect the wireshank package. ----------------------------------------------------------------------------------- Debian Security Advisory DSA-4359-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 27, 2018 https://www.debian.org/security/faq ---------------------------------------------------------------------------------- Package: wireshark CVE ID: CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 CVE-2018-19622 CVE-2018-19623 CVE-2018-19624 CVE-2018-19625 CVE-2018-19626 CVE-2018-19627 CVE-2018-19628 Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer, which could result in denial of service or the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 2.6.5-1~deb9u1. We recommend that you upgrade your wireshark packages. For the detailed security status of wireshark, refer to its security tracker page at: https://security-tracker.debian.org/tracker/wireshark This issue will be fixed in a future version of Cumulus Linux. |
RN-1203 (CM-23535) |
Debian Security Advisory DSA-4367-1 for systemd CVE-2018-16865 |
The following CVEs were announced in Debian Security Advisory DSA-4367-1 and affect the systemd package. ----------------------------------------------------------------------------------- Debian Security Advisory DSA-4367-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 13, 2019 https://www.debian.org/security/faq ----------------------------------------------------------------------------------- Package: systemd CVE ID: CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 Debian Bug: 918841 918848 The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw leading to an information leak (CVE-2018-16866), could allow an attacker to cause a denial of service or the execution of arbitrary code. Further details in the Qualys Security Advisory at https://www.qualys.com/2019/01/09/system-down/system-down.txt For the stable distribution (stretch), these problems have been fixed in version 232-25+deb9u7. We recommend that you upgrade your systemd packages. For the detailed security status of systemd, refer to its security tracker page at: https://security-tracker.debian.org/tracker/systemd This issue will be fixed in a future version of Cumulus Linux. |
RN-1219 (CM-23523) |
NCLU `show_linux_command = True` does not show linux commands |
Modifying the This is a known issue that is currently being investigated. |
RN-1220 (CM-23422) |
Error reading and writing from module causes module type to change |
This is a known issue that is currently being investigated. |
RN-1221 (CM-23418) |
`sudo ifdown` does not disable Tx Laser on QSFP+ |
For Flexoptix modules, the This is a known issue that is currently being investigated. |
RN-1223 (CM-20966) |
LLDP information is missing for a switch port when you run `net show interface` |
The NCLU This is a known issue that is currently being investigated. |
RN-1230 (CM-23584) |
NCLU programs control plane ACL in FORWARD chain |
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. This is a known issue that is currently being investigated. |
RN-1232 (CM-23372) |
DHCP Relay does not work with traditional bridges |
DHCP Relay does not work on traditional bridges. The DHCP Discover message is forwarded as unicast to the DHCP server and the Offer is received correctly, but is not forwarded to the client. To work around this issue, make sure that the name of the bridge is no longer than 14 characters and change the name of the bridge if necessary. This is a known issue that is currently being investigated. |
RN-1236 (CM-23123) |
FEC settings are persistent after being removed from the configuration |
When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. This is a known issue that is currently being investigated. |
RN-1251 (CM-23701) |
cl-acltool fails to install multiple rules as ordered set |
ACL install is sensitive to the ordering of the LOG/DROP rules. For example, an ACL [iptables] -A FORWARD -s 192.0.2.10,192.0.2.11 -j LOG -A FORWARD -s 192.0.2.10,192.0.2.11 -j DROP fails to install with the following error message from error: hw sync failed (Cannot process iptables,FORWARD,78,Rule with LOG must be followed by same rule with DROP) This happens because This is a known issue that is currently being investigated. |
RN-1252 (CM-23700) |
cl-acltool does not install LOG rules if the source or destination has multiple comma-separated prefixes |
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " -A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP You see errors similar to the following: error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG must be followed by same rule with DROP) error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with LOG must be followed by same rule with DROP) This is a known issue that is currently being investigated. |
RN-1253 (CM-23696) |
IPv6 unregistered multicast packets flooded despite `bridge.optimized_mcast_flood = TRUE` |
IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the This is a known issue that is currently being investigated. |
RN-1256 (CM-23652) |
`net show bridge spanning-tree` does not show the MLAG peer link in an STP forwarding instance |
The NCLU command This is a known issue that is currently being investigated. |
Issues Fixed in Cumulus RMP 3.7.2
The following is a list of issues fixed in Cumulus RMP 3.7.2 from earlier versions of Cumulus RMP.
Release Note ID | Summary | Description |
RN-1082 (CM-22257) |
You can add ports as bridge ports multiple times with NCLU |
When you add ports as bridge ports multiple times with the NCLU command, the commits succeed without error. To work around this issue, remove the extra interfaces with the This issue is fixed in Cumulus RMP 3.7.2. |
RN-1085 (CM-22237) |
NCLU SNMP configuration does not start the SNMP server |
When you configure SNMP with NCLU commands, the SNMP server does not restart and you see a warning: WARNING: snmpd is not running. Run "journalctl -u snmpd" for error messages. To work around this issue, start SNMP manually. This issue is fixed in Cumulus RMP 3.7.2. |
RN-1092 (CM-22443) |
IEEE 802.1X support for management VRF |
Add the DAS listener service to the This issue is fixed in Cumulus RMP 3.7.2. |
RN-1130 (CM-22618) |
On Cumulus RMP, multiple failed ACL installations result in an `out of table resource` message even after reverting to a good rule set |
After attempting to install unsupported ICMPv6-type rules, the hardware sync fails with an This issue is fixed in Cumulus RMP 3.7.2. |
RN-1143 (CM-22631) |
Adding MTU to a VLAN adds `mtu` lines for each bridge port even if they are not defined in /etc/network/interfaces |
If you add the MTU to a VLAN with the NCLU This issue is fixed in Cumulus RMP 3.7.2. |
RN-1156 (CM-22662) |
Debian Security Advisory DSA-4314 for net-snmp issues CVE-2018-18065 |
The following CVEs were announced in Debian Security Advisory DSA-4314-1 and affect the net-snmp package. This issue is fixed in Cumulus RMP 3.7.2. ------------------------------------------------------------------ Debian Security Advisory DSA-4314-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 11, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------ Package : net-snmp CVE ID : CVE-2018-18065 Debian Bug : 910638 Magnus Klaaborg Stubman discovered a NULL pointer dereference bug in net-snmp, a suite of Simple Network Management Protocol applications, allowing a remote, authenticated attacker to crash the snmpd process (causing a denial of service). For the stable distribution (stretch), this problem has been fixed in version 5.7.3+dfsg-1.7+deb9u1. We recommend that you upgrade your net-snmp packages. For the detailed security status of net-snmp, refer to its security tracker page at: https://security-tracker.debian.org/tracker/net-snmp Upstream info and fix are: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/ |
RN-1173 (CM-22917) |
The `poed` service is not enabled by default on PoE platforms in Cumulus Linux 3.7 |
When installing a Cumulus Linux 3.6.1 through 3.7.1 image, the This issue is fixed in Cumulus RMP 3.7.2. |
RN-1180 (CM-22087) |
NCLU fails to parse when `link-speed 10` is applied |
NCLU does not allow for configuration of This issue is fixed in Cumulus RMP 3.7.2. |
New Known Issues in Cumulus RMP 3.7.2
The following issues are new to Cumulus RMP and affect the current release.
Release Note ID | Summary | Description |
RN-1145 (CM-22560) |
Debian Security Advisory DSA-4306-1 for python issues CVE-2018-1060 CVE-2018-1061 CVE-2018-1000802 |
The following CVEs were announced in Debian Security Advisory DSA-4306-1 and affect the python package. ------------------------------------------------------------------------- Debian Security Advisory DSA-4306-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 27, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package: python3.4 CVE ID: CVE-2018-1060 CVE-2018-1061 CVE-2018-1000802 Multiple security issues were discovered in Python: ElementTree failed to initialise Expat's hash salt, two denial of service issues were found in difflib and poplib and the shutil module was affected by a command injection vulnerability. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ This issue will be fixed in a future release. |
RN-1150 (CM-22891) |
Debian Security Advisory DSA-4332-1 for ruby issues CVE-2018-16395 CVE-2018-16396 |
The following CVEs were announced in Debian Security Advisory DSA-4332-1 and affect the ruby package. ------------------------------------------------------------------------- Debian Security Advisory DSA-4332-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 03, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : ruby2.3 CVE ID : CVE-2018-16395 CVE-2018-16396 Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-16395 Tyler Eckstein reported that the equality check of OpenSSL::X509::Name could return true for non-equal objects. If a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal. CVE-2018-16396 Chris Seaton discovered that tainted flags are not propagated in Array#pack and String#unpack with some directives. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u4. We recommend that you upgrade your ruby2.3 packages. For the detailed security status of ruby2.3, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3 The 2.1 tracker for jessie is: https://security-tracker.debian.org/tracker/ruby2.1 This issue will be fixed in a future release. |
RN-1158 (CM-22609) |
Debian Security Advisory DSA-4311-1 for git issues CVE-2018-17456 |
The following CVEs were announced in Debian Security Advisory DSA-4311-1 and affect the git package. ------------------------------------------------------------------- Debian Security Advisory DSA-4311-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 05, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------- Package : git CVE ID : CVE-2018-17456 joernchen of Phenoelit discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability via a specially crafted .gitmodules file in a project cloned with --recurse-submodules. For the stable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u4. We recommend that you upgrade your git packages. For the detailed security status of git, refer to its security tracker page at: https://security-tracker.debian.org/tracker/git This issue will be fixed in a future release. |
RN-1159 (CM-22441) |
Debian Security Advisory DSA-4924 for ghostscript issues CVE-2018-16509 CVE-2018-16802 CVE-2018-11645 |
The following CVEs were announced in Debian Security Advisory DSA-4924-1 and affect the ghostscript package. ---------------------------------------------------------- Debian Security Advisory DSA-4294-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 16, 2018 https://www.debian.org/security/faq ---------------------------------------------------------- Package : ghostscript CVE ID : CVE-2018-16509 CVE-2018-16802 Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled). For the stable distribution (stretch), these problems have been fixed in version 9.20~dfsg-3.2+deb9u5. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript This issue will be fixed in a future release. |
RN-1160 (CM-22298) |
Debian Security Advisory DSA-4286-1 for curl issues CVE-2018-14618 |
The following CVEs were announced in Debian Security Advisory DSA-4286-1 and affect the curl package. ------------------------------------------------------------- Debian Security Advisory DSA-4286-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini September 05, 2018 https://www.debian.org/security/faq ------------------------------------------------------------- Package : curl CVE ID : CVE-2018-14618 Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems. See https://curl.haxx.se/docs/CVE-2018-14618.html for more information. For the stable distribution (stretch), this problem has been fixed in version 7.52.1-5+deb9u7. We recommend that you upgrade your curl packages. For the detailed security status of curl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl This issue will be fixed in a future release. |
RN-1161 (CM-22937) |
NCLU SNMPv3 user configuration does not get applied correctly |
NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the To work around this issue, stop This is a known issue that is currently being investigated. |
RN-1165 (CM-22802) |
The NCLU `bridge pvid` command does not add the interface to bridge ports |
When you run the This is a known issue that is currently being investigated. |
RN-1171 (CM-22950) |
Debian Security Advisory DSA-4335-1 for nginx issues CVE-2018-16843 CVE-2018-16844 CVE-2018-16845 |
The following CVEs were announced in Debian Security Advisory DSA-4335-1 and affect the nginx package. ------------------------------------------------------------------------------------- Debian Security Advisory DSA-4335-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 08, 2018 https://www.debian.org/security/faq -------------------------------------------------------------------------------------- Package : nginx CVE ID : CVE-2018-16843 CVE-2018-16844 CVE-2018-16845 Three vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could in denial of service in processing HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in the ngx_http_mp4_module module (used for server-side MP4 streaming). For the stable distribution (stretch), these problems have been fixed in version 1.10.3-1+deb9u2. We recommend that you upgrade your nginx packages. For the detailed security status of nginx, refer to its security tracker page at: https://security-tracker.debian.org/tracker/nginx This issue will be fixed in a future release. |
RN-1172 (CM-22346) |
Debian Security Advisory DSA-4288-1 for ghostscript issues CVE-2018-15908 CVE-2018-15910 CVE-2018-15911 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16543 CVE-2018-16585 |
The following CVEs were announced in Debian Security Advisory DSA-4288-1 and affect the ghostscript package. ----------------------------------------------------------------- Debian Security Advisory DSA-4288-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 07, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------ Package : ghostscript CVE ID : CVE-2018-15908 CVE-2018-15910 CVE-2018-15911 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16543 CVE-2018-16585 Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled). For the stable distribution (stretch), these problems have been fixed in version 9.20~dfsg-3.2+deb9u4. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript This issue will be fixed in a future release. |
RN-1192 (CM-23075) |
Limitation on the number of interfaces supported in the DHCP relay file |
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the 2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51 Eventually the This is a known issue that is currently being investigated. |
New Known Issues in Cumulus RMP 3.7.1
The following issues are new to Cumulus RMP and affect the current release.
Issues Fixed in Cumulus RMP 3.7.0
The following is a list of issues fixed in Cumulus RMP 3.7.0 from earlier versions of Cumulus RMP.
Release Note ID | Summary | Description |
RN-1040 (CM-22120) |
Link down does not work on an Ethernet interface configured in the management VRF |
The This issue is fixed in Cumulus RMP 3.7.0. |
RN-1041 (CM-21890) |
Debian Security Advisory DSA-4259 for Ruby issues CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-1000073 |
The following CVEs were announced in Debian Security Advisory DSA-4259-1 and affect the ruby2.3 package. This issue is fixed in Cumulus RMP 3.7.0. ------------------------------------------------------------------------- Debian Security Advisory DSA-4259-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 31, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package: ruby2.3 CVE ID: CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure. This update also fixes several issues in RubyGems which could allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u3. We recommend that you upgrade your ruby2.3 packages. Note: CVE-2018-1000073 and CVE-2018-1000074 are awaiting re-analysis. For the detailed security status of ruby2.3, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3 |
RN-1043 (CM-22066) |
NCLU commands hang without response |
When you run an NCLU command from the command line, the command hangs without a response. This issue is fixed in Cumulus RMP 3.7.0. |
RN-1049 (CM-22161) |
The ptmd shell environment variables are not being set correctly |
When the This issue is fixed in Cumulus RMP 3.7.0. |
RN-1050 (CM-22146) |
Repeating an existing SNMP v3 user returns wrong exit code |
If SNMP is configured, entering the NCLU command to create an SNMP v3 user that already exists returns an exit code of 1. To work around this issue, delete the username with This issue is fixed in Cumulus RMP 3.7.0. |
RN-1056 (CM-22147) |
Debian Security Advisory DSA-4280-1 for openssh issues CVE-2018-15473 |
The following CVEs were announced in Debian Security Advisory DSA-4280-1 and affect the openssh package. This issue is fixed in Cumulus RMP 3.7.0. ------------------------------------------------------------------------- Debian Security Advisory DSA-4280-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond August 22, 2018 https://www.debian.org/security/faq -------------------------------------------------------------------------- Package : openssh CVE ID : CVE-2018-15473 Debian Bug : 906236 Dariusz Tytko, Michal Sajdak and Qualys Security discovered that OpenSSH, an implementation of the SSH protocol suite, was prone to a user enumeration vulnerability. This would allow a remote attacker to check whether a specific user account existed on the target server. For the stable distribution (stretch), this problem has been fixed in version 1:7.4p1-10+deb9u4. We recommend that you upgrade your openssh packages. For the detailed security status of openssh, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh |
RN-1057 (CM-21619) |
Security: ntp issues CVE-2018-7182 CVE-2018-7183 CVE-2018-7184 CVE-2018-7185 |
The following CVEs affect ntp. This issue is fixed in Cumulus RMP 3.7.0. ------------------------------------------------------------------------- Ubuntu Security Notice USN-3707-1 July 09, 2018 ntp vulnerabilities ------------------------------------------------------------------------- A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.04 LTS Ubuntu 17.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary: Several security issues were fixed in NTP. Software Description: ntp: Network Time Protocol daemon and utility programs Details: Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6 packets. A remote attacker could possibly use this issue to cause ntpd to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182) Michael Macnair discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2018-7183) Miroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7184) Miroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2018-7185) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: ntp 1:4.2.8p10+dfsg-5ubuntu7.1 Ubuntu 17.10: ntp 1:4.2.8p10+dfsg-5ubuntu3.3 Ubuntu 16.04 LTS: ntp 1:4.2.8p4+dfsg-3ubuntu5.9 Ubuntu 14.04 LTS: ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/usn/usn-3707-1 CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185 |
RN-1059 (CM-21939) |
Debian Security Advisory DSA-4266-1 for kernel issues CVE-2018-13405 |
The following CVEs were announced in Debian Security Advisory DSA-4266-1 and affect the kernel. This issue is fixed in Cumulus RMP 3.7.0. ------------------------------------------------------------------------- Debian shows the CVE-2018-13405 details, including link to the kernel.org fix here: https://security-tracker.debian.org/tracker/CVE-2018-13405. The kernel.org fix is here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Debian has the CVE-2018-5390 TCP DoS info here: https://security-tracker.debian.org/tracker/CVE-2018-5390. CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2018-5390 Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port. Thus, the attacks cannot be performed using spoofed IP addresses. |
RN-1060 (CM-22016) |
Debian Security Advisor DSA-4269-1 for postgresql issues CVE-2018-10915 CVE-2018-10925 |
The following CVEs were announced in Debian Security Advisory DSA-4269-1 and affect the postgresql package. CVE-2018-10925 is fixed in Cumulus RMP 3.7.0. CVE-2018-10915 will be fixed when it's fixed upstream. ------------------------------------------------------------------------- Debian Security Advisory DSA-4269-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 10, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : postgresql-9.6 CVE ID : CVE-2018-10915 CVE-2018-10925 Two vulnerabilities have been found in the PostgreSQL database system: CVE-2018-10915 Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects. CVE-2018-10925 It was discovered that some "CREATE TABLE" statements could disclose server memory. For additional information, refer to the upstream announcement at https://www.postgresql.org/about/news/1878/ For the detailed security status of postgresql-9.6, refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-9.6 https://security-tracker.debian.org/tracker/source-package/postgresql-9.4 https://security-tracker.debian.org/tracker/CVE-2018-10915 https://security-tracker.debian.org/tracker/CVE-2018-10925 CVE-2018-10925 is listed as fixed in jessie source package: 9.4.19-0+deb8u1 |
RN-1061 (CM-22203) |
The HTTP API enabled and listening by default |
By default, the nginx server used for the HTTP API on port 8080 is enabled, but does not listen to external requests. However, it appears to be listening and answering external requests. This issue is fixed in Cumulus RMP 3.7.0. |
RN-1111 (CM-21804) |
`mstpd` prints unnecessary `bridge_notify: port ##: no_flush 0` log when there is a netlink link event |
Whenever there is a netlink link event, This issue is fixed in Cumulus RMP 3.7.0. |
Known Issues in Cumulus RMP 3.7.0
The following known issues affect the current release.
Release Note ID | Summary | Description |
RN-602 (CM-15094) |
sFlow interface speed incorrect in counter samples |
Counter samples exported from the switch show an incorrect interface speed. This is a known issue that is currently being investigated. |
RN-754 (CM-15812) |
Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs |
Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs. This is a known issue that is currently being investigated. |
RN-755 (CM-16855) |
Auto-negotiation ON sometimes results in NO-CARRIER |
If a two nodes on both sides of a link change from auto-negotiation off to auto-negotiation on for both sides during a short interval (around one second), the link might start flapping or stay down. To work around this issue and stop the flapping, turn the link down on the switch with the command |
RN-758 (CM-17557) |
If sFlow is enabled, some sampled packets (such as multicast) are forwarded twice |
When sFlow is enabled, some sampled packets, such as IPMC, are forwarded twice (in the ASIC and then again through the kernel networking stack). This is a known issue that is currently being investigated. |
RN-760 (CM-18682) |
smonctl utility JSON parsing error |
There is a parsing error with the This is a known issue that is currently being investigated. |
RN-788 (CM-19381) |
dhcrelay does not bind to interfaces that have names longer than 14 characters |
The To work around this issue, change the interface name to be 14 or fewer characters if This is a known issue that is currently being investigated. |
RN-822 (CM-19788) |
Using the same VLAN ID on a subinterface and bridge VIDs for a given port is not easily corrected |
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the This is a known issue that is currently being investigated. |
RN-823 (CM-19724) |
Multicast control protocols are classified to the bulk queue by default |
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default This is a known issue that is currently being investigated. |
RN-948 (CM-17494) |
The default arp_ignore mode does not prevent reachable neighbor entries for hosts not on the connected subnet |
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. To work around this issue, change the value of |
RN-1039 (CM-22045) |
SNMPv3 Trap passwords and encryption keys longer then 16 characters might cause snmpd to core dump |
SNMPv3 TRAP passwords or encryption keys longer then 16 characters might result in a core dump. For example: net add snmp-server trap-destination 3.3.3.3 username verlongtrapusername auth-md5 verylongmd52345678901234567890 encrypt-aes verylongencrypt567890123456789012345678 engine-id 0x80001f8880f49b75319690895b00000000 # this results in a core dump: root@cel-redxp-01:/home/cumulus# systemctl status snmpd snmpd.service - Simple Network Management Protocol (SNMP) Daemon. Loaded: loaded (/lib/systemd/system/snmpd.service; enabled) Active: failed (Result: core-dump) since Wed 2018-09-05 16:18:05 UTC; 1min 25s ago Process: 21163 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=dumped, signal=SEGV) Main PID: 21163 (code=dumped, signal=SEGV) Sep 05 16:18:05 cel-redxp-01 systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon.. Sep 05 16:18:05 cel-redxp-01 systemd[1]: snmpd.service: main process exited, code=dumped, status=11/SEGV Sep 05 16:18:05 cel-redxp-01 systemd[1]: Unit snmpd.service entered failed state. To work around this issue, use SNMPv3 TRAP passwords and encryption keys that are 16 characters or shorter. This is a known issue that is currently being investigated. |
RN-1071 (CM-22345) |
Redirected traffic increments the INPUT ACL rule counter but does not perform an action |
If a packet to an unknown IP address (but known network) enters the switch and matches an INPUT ACL rule, it is redirected for ARP and the counters increment for that rule, but it does not perform the action. This only happens until the ARP reply is sent, and then the traffic is forwarded properly. To work around this issue, change the rules to INPUT,FORWARD instead of INPUT. Drops should then be logged properly. This is a known issue that is currently being investigated. |
RN-1074 (CM-22145) |
The `net show configuration files` command does not include /etc/restapi.conf |
The This is a known issue that is currently being investigated. |
RN-1082 (CM-22257) |
You can add ports as bridge ports multiple times with NCLU |
When you add ports as bridge ports multiple times with the NCLU cmmand, the commits succeed without error. To work around this issue, remove the extra interfaces with the This is a known issue that is currently being investigated. |
RN-1085 (CM-22237) |
NCLU SNMP configuration does not start the SNMP server |
When you configure SNMP with NCLU commands, the SNMP server does not restart and you see a warning: WARNING: snmpd is not running. Run "journalctl -u snmpd" for error messages. To work around this issue, start SNMP manually. This is a known issue that is currently being investigated. |
RN-1092 (CM-22443) |
IEEE 802.1X support for management VRF |
Add the DAS listener service to the This issue is currently being investigated. |
RN-1095 (CM-21813) |
The NCLU `net add` and `net commit` commands edit the interfaces file even when the interface configuration is not changed |
The NCLU This issue is currently being investigated. |
Comments