The following CVEs were announced in Debian Security Advisory DSA-4387-1 and affect the openssh package.

This issue is fixed in Cumulus RMP 3.7.5.

---------------------------------------------------------------------------------------

Debian Security Advisory DSA-4387-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

February 09, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------------

Package: openssh

CVE ID: CVE-2018-20685 CVE-2019-6109 CVE-2019-6111

Debian Bug: 793412 919101

Harry Sintonen from F-Secure Corporation discovered multiple vulnerabilities in OpenSSH, an implementation of the SSH protocol suite. All the vulnerabilities are in found in the scp client implementing the SCP protocol.

CVE-2018-20685

Due to improper directory name validation, the scp client allows servers tovmodify permissions of the target directory by using empty or dotvdirectory name.

CVE-2019-6109

Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

CVE-2019-6111

Due to scp client insufficient input validation in path names sent by server, a malicious server can do arbitrary file overwrites in target directory. If the recursive (-r) option is provided, the server can also manipulate subdirectories as well.

The check added in this version can lead to regression if the client and the server have differences in wildcard expansion rules. If the server is trusted for that purpose, the check can be disabled with a new -T option to the scp client.

For the stable distribution (stretch), these problems have been fixed in version 1:7.4p1-10+deb9u5.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openssh

The following CVEs were announced in Debian Security Advisory DSA-4400-1 and affect the openssl package.

This issue is fixed in Cumulus RMP 3.7.5.

---------------------------------------------------------------------------------------

Debian Security Advisory DSA-4400-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 28, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------------

Package : openssl1.0

CVE ID : CVE-2019-1559

Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL.

For the stable distribution (stretch), this problem has been fixed in version 1.0.2r-1~deb9u1.

We recommend that you upgrade your openssl1.0 packages.

For the detailed security status of openssl1.0, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openssl1.0

https://security-tracker.debian.org/tracker/CVE-2019-1559

The following CVEs were announced in Debian Security Advisory DSA-4367-1 and affect the systemd package.

This issue is fixed in Cumulus RMP 3.7.4.

-----------------------------------------------------------------------------------

Debian Security Advisory DSA-4367-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

January 13, 2019 https://www.debian.org/security/faq

-----------------------------------------------------------------------------------

Package: systemd

CVE ID: CVE-2018-16864 CVE-2018-16865 CVE-2018-16866

Debian Bug: 918841 918848

The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw leading to an information leak (CVE-2018-16866), could allow an attacker to cause a denial of service or the execution of arbitrary code.

Further details in the Qualys Security Advisory at https://www.qualys.com/2019/01/09/system-down/system-down.txt

For the stable distribution (stretch), these problems have been fixed in version 232-25+deb9u7.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/system.

ACL install is sensitive to the ordering of the LOG/DROP rules. For example, an ACL policy.d file containing only the following:

[iptables]

-A FORWARD -s 192.0.2.10,192.0.2.11 -j LOG
-A FORWARD -s 192.0.2.10,192.0.2.11 -j DROP

fails to install with the following error message from cl-acltool -i:

error: hw sync failed (Cannot process iptables,FORWARD,78,Rule with LOG must be followed by same rule with DROP)

This happens because cl-acltool internally expands the two rules in the wrong order.

This issue is fixed in Cumulus RMP 3.7.4.

cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as:

-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: "
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP

You see errors similar to the following:

error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG must be followed by same rule with DROP)
error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with LOG must be followed by same rule with DROP)

This issue is fixed in Cumulus RMP 3.7.4.

The following CVEs were announced and affect the Linux kernel:

https://security-tracker.debian.org/tracker/CVE-2018-17182 for debian.

This issue is fixed in Cumulus RMP 3.7.4.

Currently if the BMC firmware encounters a value that it cannot parse, it logs the following message, which provides insufficient data to understand which value failed to parse correctly and, therefore, how to further investigate the issue.

2012-01-10T20:41:58.694892+09:00 spc-1am09-1-fb02 bmcd: unparsible sensor value "FAULT ALARM"
2012-01-12T07:08:33.694504+09:00 spc-1am09-1-fb02 bmcd: unparsible sensor value "FAULT ALARM"
2012-01-13T17:51:58.695336+09:00 spc-1am09-1-fb02 bmcd: unparsible sensor value "FAULT ALARM"
2012-01-13T19:31:03.692842+09:00 spc-1am09-1-fb02 bmcd: unparsible sensor value "FAULT ALARM" 

This issue is fixed in Cumulus RMP 3.7.4.

On the platforms that require a port block to be configured as a set of 10G or 25G, if you do not configure the entire set, for example:

1=10G
2=25G
3=25G
4=10G

when you restart switchd, the service restarts and Cumulus Linux logs an error message into /var/log/switchd.log that is not clear.

This issue is fixed in Cumulus RMP 3.7.4.

The following CVEs were announced in Debian Security Advisory DSA-4393-1 and affect the systemd package.

This issue is fixed in Cumulus RMP 3.7.4.

----------------------------------------------------------------------------------

Debian Security Advisory DSA-4393-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 18, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------

Package : systemd

CVE ID : CVE-2019-6454

Chris Coulson discovered a flaw in systemd leading to denial of service.

An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus.

For the stable distribution (stretch), this problem has been fixed inversion 232-25+deb9u9.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/systemd

The following CVEs were announced in Debian Security Advisory DSA-4386-1 and affect the curl package.

This issue is fixed in Cumulus RMP 3.7.4.

----------------------------------------------------------------------------------

Debian Security Advisory DSA-4386-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

February 06, 2019 https://www.debian.org/security/faq

----------------------------------------------------------------------------------

Package : curl

CVE ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823

Multiple vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-16890

Wenxiang Qian of Tencent Blade Team discovered that the function handling incoming
NTLM type-2 messages does not validate incoming data correctly and is subject to an
integer overflow vulnerability, which could lead to an out-of-bounds buffer read.

CVE-2019-3822

Wenxiang Qian of Tencent Blade Team discovered that the function creating an outgoing
NTLM type-3 header is subject to an integer overflow vulnerability, which could lead to
an out-of-bounds write.

CVE-2019-3823

Brian Carpenter of Geeknik Labs discovered that the code handling the end-of-response for
SMTP is subject to an out-of-bounds heap read.

For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u9.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/curl

When an interface is configured for OSPF/BGP unnumbered, the
net show interface command shows NotConfigured instead of showing
that it is unnumbered.

This issue is fixed in Cumulus RMP 3.7.3.

The NCLU net add and net commit commands change the interfaces file even
if you add a service like snmp/hostname/etc. This causes an issue with automation.
For example, Ansible runs handlers (ifreload -a for interfaces) during each push if
the file being edited changes.

This issue is fixed in Cumulus RMP 3.7.3.

NCLU net show configuration commands displays a net add syslog command
with invalid syntax. For example, if you run the following commands:

cumulus@switch:~$  net add syslog host ipv4 10.0.0.1 port udp 514
cumulus@switch:~$  net commit

then run net show configuration commands, the output of the command syntax is
invalid.

This issue is fixed in Cumulus RMP 3.7.3.

When you run the net show counters json command, you see the following error if any value is 'Unknown':

ERROR: Execution of the command failed. 
"/usr/cumulus/bin/cl-netstat -j" failed. 
Traceback (most recent call last): 
File "/usr/cumulus/bin/cl-netstat", line 292, in <module> 
cnstat_diff_print(cnstat_dict, cnstat_cached_dict, use_json) 
File "/usr/cumulus/bin/cl-netstat", line 135, in cnstat_diff_print 
print table_as_json(table) 
File "/usr/cumulus/bin/cl-netstat", line 62, in table_as_json 
header[3] : int(line[3]), 
ValueError: invalid literal for int() with base 10: 'Unknown'

To work around this issue, run the following command to clear out the semaphore file created by cl-netstat -c:

cumulus@switch:~$  rm /tmp/cl-netstat-$UID/$UID

This issue is fixed in Cumulus RMP 3.7.3.

When you run the net add (bond|interface) <iface> bridge pvid command, NCLU does not add the port as a slave of the VLAN-aware bridge.

This issue is fixed in Cumulus RMP 3.7.3.

The following CVEs were announced in Debian Security Advisory DSA-4335-1, and affect the nginx package.

This issue is fixed in Cumulus RMP 3.7.3.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4335-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

November 08, 2018 https://www.debian.org/security/faq

------------------------------------------------------------------------------------------

Package : nginx

CVE ID : CVE-2018-16843 CVE-2018-16844 CVE-2018-16845

Three vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could in denial of service in processing HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in the ngx_http_mp4_module module (used for server-side MP4 streaming).

For the stable distribution (stretch), these problems have been fixed in version 1.10.3-1+deb9u2.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nginx

The following CVEs were announced in Debian Security Advisory DSA-4360-1, and affect the libarchive package.

This issue is fixed in Cumulus RMP 3.7.3.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4360-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 27, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------

Package: libarchive

CVE ID: CVE-2016-10209 CVE-2016-10349 CVE-2016-10350 CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 CVE-2018-1000877 CVE-2018-1000878 CVE-2018-1000880

Multiple security issues were found in libarchive, a multi-format archive and compression library: Processing malformed RAR archives could result in denial of service or the execution of arbitrary code and malformed WARC, LHarc, ISO, Xar or CAB archives could result in denial of service.

For the stable distribution (stretch), these problems have been fixed inversion 3.2.2-2+deb9u1.

We recommend that you upgrade your libarchive packages.

For the detailed security status of libarchive, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libarchive

If an interface is correctly configured according to the /etc/ptm.d/topology.dot file (pass), then the link goes down, ptmd still shows the cbl status as pass.

This issue is fixed in Cumulus RMP 3.7.3.

The kvm-clock module is missing in the kernel on the telemetry server. The system clock only advances one second for approximately every ten real-time seconds that pass. This stops NTP from being able to synchronize the clock.

This issue is fixed in Cumulus RMP 3.7.3.

When the /etc/hostapd.conf file does not exist, the following sequence of commands causes a traceback:

cumulus@switch:~$ net add interface swp1 link down
cumulus@switch:~$ net pending
cumulus@switch:~$ net commit
cumulus@switch:~$ net del interface swp1 link down

To work around this issue:

1. Create the /etc/hostapd.conf file with the following default contents:

   eap_server=0 
   ieee8021x=1 
   driver=wired 
   interfaces= 
   mab_interfaces= 
   parking_vlan_interfaces= 
   parking_vlan_id= 
   mab_activation_delay=30 
   eap_reauth_period=0 
   eap_send_identity=0 
   ctrl_interface=/var/run/hostapd 
   nas_identifier=localhost 
   auth_server_addr= 
   auth_server_port=1812 
   auth_server_shared_secret= 
   acct_server_addr= 
   acct_server_port=1813 
   acct_server_shared_secret= 
   

2. Issue the following commands to set the ownership and permissions:

   sudo chown root.root /etc/hostapd.conf 
   sudo chmod 600 /etc/hostapd.conf 
   

   This issue is fixed in Cumulus RMP 3.7.3.

Using an iptables rule (ACL) to block packets with a source IP address of exactly 0.0.0.0 unexpectedly drops all IPv4 packets.

This issue is fixed in Cumulus RMP 3.7.3.

Note: Cumulus Linux drops these packets by default and no rule is required.

The following CVEs were announced in Debian Security Advisory DSA-4349-1, and affect the libtiff5 package.

This issue is fixed in Cumulus RMP 3.7.3.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4349-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

November 30, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------

Package: libtiff5

CVE ID: CVE-2017-11613 CVE-2017-17095 CVE-2018-5784 CVE-2018-7456 CVE-2018-8905 CVE-2018-10963 CVE-2018-17101 CVE-2018-18557 CVE-2018-15209 CVE-2018-16335

Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.

For the stable distribution (stretch), these problems have been fixed in version 4.0.8-2+deb9u4.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/tiff

The following CVEs were announced in Debian Security Advisory DSA-4338-1, and affect the qemu package.

This issue is fixed in Cumulus RMP 3.7.3.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4338-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

November 11, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------------------

Package: qemu

CVE ID: CVE-2018-10839 CVE-2018-17962 CVE-2018-17963

Debian Bug: 908682 910431 911468 911469

Integer overflows in the processing of packets in network cards emulated by QEMU, a fast processor emulator, could result in denial of service.

In addition this update backports support to passthrough the new CPU features added in the intel-microcode update shipped in DSA 4273 to x86-based guests.

For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u5.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/qemu

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Running ifdown vlan or ip link set vlan down brings down a virtual interface but the interface always comes back up after you run the ifreload -a or net commit command.

This issue is fixed in Cumulus RMP 3.7.3.

The following CVEs were announced in Debian Security Advisory DSA-4359-1 and affect the wireshank package.

-----------------------------------------------------------------------------------

Debian Security Advisory DSA-4359-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 27, 2018 https://www.debian.org/security/faq

----------------------------------------------------------------------------------

Package: wireshark

CVE ID: CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 CVE-2018-19622 CVE-2018-19623 CVE-2018-19624 CVE-2018-19625 CVE-2018-19626 CVE-2018-19627 CVE-2018-19628

Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer, which could result in denial of service or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in version 2.6.5-1~deb9u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/wireshark

This issue will be fixed in a future version of Cumulus Linux.

The following CVEs were announced in Debian Security Advisory DSA-4367-1 and affect the systemd package.

-----------------------------------------------------------------------------------

Debian Security Advisory DSA-4367-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

January 13, 2019 https://www.debian.org/security/faq

-----------------------------------------------------------------------------------

Package: systemd

CVE ID: CVE-2018-16864 CVE-2018-16865 CVE-2018-16866

Debian Bug: 918841 918848

The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw leading to an information leak (CVE-2018-16866), could allow an attacker to cause a denial of service or the execution of arbitrary code.

Further details in the Qualys Security Advisory at https://www.qualys.com/2019/01/09/system-down/system-down.txt

For the stable distribution (stretch), these problems have been fixed in version 232-25+deb9u7.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/systemd

This issue will be fixed in a future version of Cumulus Linux.

Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect.

This is a known issue that is currently being investigated.

portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.

This is a known issue that is currently being investigated.

For Flexoptix modules, the sudo ifdown command does not disable the Tx laser.

This is a known issue that is currently being investigated.

The NCLU net show lldp and net show interface commands do not show LLDP information for swp* (eth is unaffected).

This is a known issue that is currently being investigated.

When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.

This is a known issue that is currently being investigated.

DHCP Relay does not work on traditional bridges. The DHCP Discover message is forwarded as unicast to the DHCP server and the Offer is received correctly, but is not forwarded to the client.

To work around this issue, make sure that the name of the bridge is no longer than 14 characters and change the name of the bridge if necessary.

This is a known issue that is currently being investigated.

When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.

This is a known issue that is currently being investigated.

ACL install is sensitive to the ordering of the LOG/DROP rules. For example, an ACL policy.d file containing only the following:

[iptables]

-A FORWARD -s 192.0.2.10,192.0.2.11 -j LOG
-A FORWARD -s 192.0.2.10,192.0.2.11 -j DROP

fails to install with the following error message from cl-acltool -i:

error: hw sync failed (Cannot process iptables,FORWARD,78,Rule with LOG must be followed by same rule with DROP)

This happens because cl-acltool internally expands the two rules in the wrong order.

This is a known issue that is currently being investigated.

cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as:

-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: "
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP

You see errors similar to the following:

error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG must be followed by same rule with DROP)
error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with LOG must be followed by same rule with DROP)

This is a known issue that is currently being investigated.

IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file.

This is a known issue that is currently being investigated.

The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance:

This is a known issue that is currently being investigated.

When you add ports as bridge ports multiple times with the NCLU command, the commits succeed without error.

To work around this issue, remove the extra interfaces with the net del bridge bridge ports <interface> command.

This issue is fixed in Cumulus RMP 3.7.2.

When you configure SNMP with NCLU commands, the SNMP server does not restart and you see a warning:

WARNING: snmpd is not running.  Run "journalctl -u snmpd" for error messages.

To work around this issue, start SNMP manually.

This issue is fixed in Cumulus RMP 3.7.2.

Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed.

This issue is fixed in Cumulus RMP 3.7.2.

After attempting to install unsupported ICMPv6-type rules, the hardware sync fails with an Out of table resource message even after you correct the rules.

This issue is fixed in Cumulus RMP 3.7.2.

If you add the MTU to a VLAN with the NCLU net add vlan <vlan> mtu <mtu> command, Cumulus Linux adds extra mtu lines in the /etc/network/interfaces file when there are defined bridge ports that do not exist elsewhere in the file.

This issue is fixed in Cumulus RMP 3.7.2.

The following CVEs were announced in Debian Security Advisory DSA-4314-1 and affect the net-snmp package.

This issue is fixed in Cumulus RMP 3.7.2.

------------------------------------------------------------------

Debian Security Advisory DSA-4314-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 11, 2018 https://www.debian.org/security/faq

------------------------------------------------------------------

Package : net-snmp

CVE ID : CVE-2018-18065

Debian Bug : 910638

Magnus Klaaborg Stubman discovered a NULL pointer dereference bug in net-snmp, a suite of Simple Network Management Protocol applications, allowing a remote, authenticated attacker to crash the snmpd process (causing a denial of service).

For the stable distribution (stretch), this problem has been fixed in version 5.7.3+dfsg-1.7+deb9u1.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/net-snmp

Upstream info and fix are:

https://dumpco.re/blog/net-snmp-5.7.3-remote-dos

https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/

When installing a Cumulus Linux 3.6.1 through 3.7.1 image, the poed service is not enabled by default.

This issue is fixed in Cumulus RMP 3.7.2.

NCLU does not allow for configuration of link-speed 10 and does not parse any unrelated NCLU configuration when link-speed 10 is detected in the /etc/network/interfaces file.

This issue is fixed in Cumulus RMP 3.7.2.

The following CVEs were announced in Debian Security Advisory DSA-4306-1 and affect the python package.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4306-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 27, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package: python3.4

CVE ID: CVE-2018-1060 CVE-2018-1061 CVE-2018-1000802

Multiple security issues were discovered in Python: ElementTree failed to initialise Expat's hash salt, two denial of service issues were found in difflib and poplib and the shutil module was affected by a command injection vulnerability.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

This issue will be fixed in a future release.

The following CVEs were announced in Debian Security Advisory DSA-4332-1 and affect the ruby package.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4332-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

November 03, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : ruby2.3

CVE ID : CVE-2018-16395 CVE-2018-16396

Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2018-16395

Tyler Eckstein reported that the equality check of OpenSSL::X509::Name could return true for non-equal objects. If a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal.

CVE-2018-16396

Chris Seaton discovered that tainted flags are not propagated in Array#pack and String#unpack with some directives.

For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u4.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ruby2.3

The 2.1 tracker for jessie is: https://security-tracker.debian.org/tracker/ruby2.1

This issue will be fixed in a future release.

The following CVEs were announced in Debian Security Advisory DSA-4311-1 and affect the git package.

-------------------------------------------------------------------

Debian Security Advisory DSA-4311-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 05, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------

Package : git

CVE ID : CVE-2018-17456

joernchen of Phenoelit discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability via a specially crafted .gitmodules file in a project cloned with --recurse-submodules.

For the stable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u4.

We recommend that you upgrade your git packages.

For the detailed security status of git, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/git

This issue will be fixed in a future release.

The following CVEs were announced in Debian Security Advisory DSA-4924-1 and affect the ghostscript package.

----------------------------------------------------------

Debian Security Advisory DSA-4294-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 16, 2018 https://www.debian.org/security/faq

----------------------------------------------------------

Package : ghostscript

CVE ID : CVE-2018-16509 CVE-2018-16802

Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

For the stable distribution (stretch), these problems have been fixed in version 9.20~dfsg-3.2+deb9u5.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

This issue will be fixed in a future release.

The following CVEs were announced in Debian Security Advisory DSA-4286-1 and affect the curl package.

-------------------------------------------------------------

Debian Security Advisory DSA-4286-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

September 05, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------

Package : curl

CVE ID : CVE-2018-14618

Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems. See https://curl.haxx.se/docs/CVE-2018-14618.html for more information.

For the stable distribution (stretch), this problem has been fixed in version 7.52.1-5+deb9u7.

We recommend that you upgrade your curl packages.

For the detailed security status of curl, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/curl

This issue will be fixed in a future release.

NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.

To work around this issue, stop snmpd, remove the cache file, then restart snmpd.

This is a known issue that is currently being investigated.

When you run the net add (bond|interface) <iface> bridge pvid command, NCLU does not add the port as a slave of the VLAN-aware bridge.

This is a known issue that is currently being investigated.

The following CVEs were announced in Debian Security Advisory DSA-4335-1 and affect the nginx package.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4335-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff November 08, 2018

https://www.debian.org/security/faq

--------------------------------------------------------------------------------------

Package : nginx

CVE ID : CVE-2018-16843 CVE-2018-16844 CVE-2018-16845

Three vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could in denial of service in processing HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in the ngx_http_mp4_module module (used for server-side MP4 streaming).

For the stable distribution (stretch), these problems have been fixed in version 1.10.3-1+deb9u2.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nginx

This issue will be fixed in a future release.

The following CVEs were announced in Debian Security Advisory DSA-4288-1 and affect the ghostscript package.

-----------------------------------------------------------------

Debian Security Advisory DSA-4288-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 07, 2018 https://www.debian.org/security/faq

------------------------------------------------------------------

Package : ghostscript

CVE ID : CVE-2018-15908 CVE-2018-15910 CVE-2018-15911 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16543 CVE-2018-16585

Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

For the stable distribution (stretch), these problems have been fixed in version 9.20~dfsg-3.2+deb9u4.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

This issue will be fixed in a future release.

There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example,1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:

2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on   LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.

This is a known issue that is currently being investigated.

After attempting to install unsupported ICMPv6-type rules, the hardware sync fails with an Out of table resource message even after you correct the rules.

This is a known issue that is currently being investigated.

NCLU net show configuration commands does not display any output for IPv6 rsyslog hosts.

This is a known issue that is currently being investigated.

NCLU net show configuration commands displays a net add syslog command with invalid syntax. For example, if you run the following commands:

cumulus@switch:~$ net add syslog host ipv4 10.0.0.1 port udp 514
cumulus@switch:~$ net commit

then run net show configuration commands, the output of the command syntax is invalid.

This is a known issue that is currently being investigated.

If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces does not correctly transition to the down state; however, all links show down in hardware.

This is a known issue that is currently being investigated.

The link-down yes configuration in the /etc/network/interfaces file does not work for the eth0 or eth1 interface configured in the management VRF. This issue is not observed if the Ethernet interface is in the default VRF.

This issue is fixed in Cumulus RMP 3.7.0.

The following CVEs were announced in Debian Security Advisory DSA-4259-1 and affect the ruby2.3 package.

This issue is fixed in Cumulus RMP 3.7.0.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4259-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 31, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package: ruby2.3

CVE ID: CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure.

This update also fixes several issues in RubyGems which could allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code.

For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u3.

We recommend that you upgrade your ruby2.3 packages.

Note: CVE-2018-1000073 and CVE-2018-1000074 are awaiting re-analysis.

For the detailed security status of ruby2.3, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3

When you run an NCLU command from the command line, the command hangs without a response.

This issue is fixed in Cumulus RMP 3.7.0.

When the ptmd daemon detects an LLDP neighbor change event, the respective script is executed (if-topo-pass or if-topo-fail). Environment variables are set and are accessible to the script (as described in man ptmd). However, in LLDP events, some environment variables are not getting set correctly.

This issue is fixed in Cumulus RMP 3.7.0.

If SNMP is configured, entering the NCLU command to create an SNMP v3 user that already exists returns an exit code of 1.

To work around this issue, delete the username with net del snmp-server username <username> command before adding it again.

This issue is fixed in Cumulus RMP 3.7.0.

The following CVEs were announced in Debian Security Advisory DSA-4280-1 and affect the openssh package.

This issue is fixed in Cumulus RMP 3.7.0.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4280-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

August 22, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : openssh

CVE ID : CVE-2018-15473

Debian Bug : 906236

Dariusz Tytko, Michal Sajdak and Qualys Security discovered that OpenSSH, an implementation of the SSH protocol suite, was prone to a user enumeration vulnerability. This would allow a remote attacker to check whether a specific user account existed on the target server.

For the stable distribution (stretch), this problem has been fixed in version 1:7.4p1-10+deb9u4.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh

The following CVEs affect ntp.

This issue is fixed in Cumulus RMP 3.7.0.

-------------------------------------------------------------------------

Ubuntu Security Notice USN-3707-1

July 09, 2018

ntp vulnerabilities

-------------------------------------------------------------------------

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 18.04 LTS

Ubuntu 17.10

Ubuntu 16.04 LTS

Ubuntu 14.04 LTS

Summary: Several security issues were fixed in NTP.

Software Description: ntp: Network Time Protocol daemon and utility programs

Details:

Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6 packets. A remote attacker could possibly use this issue to cause ntpd to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182)

Michael Macnair discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2018-7183)

Miroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7184)

Miroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2018-7185)

Update instructions: The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS: ntp 1:4.2.8p10+dfsg-5ubuntu7.1

Ubuntu 17.10: ntp 1:4.2.8p10+dfsg-5ubuntu3.3

Ubuntu 16.04 LTS: ntp 1:4.2.8p4+dfsg-3ubuntu5.9

Ubuntu 14.04 LTS: ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13

In general, a standard system update will make all the necessary changes.

References: https://usn.ubuntu.com/usn/usn-3707-1

CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185

The following CVEs were announced in Debian Security Advisory DSA-4266-1 and affect the kernel.

This issue is fixed in Cumulus RMP 3.7.0.

-------------------------------------------------------------------------

Debian shows the CVE-2018-13405 details, including link to the kernel.org fix here: https://security-tracker.debian.org/tracker/CVE-2018-13405.

The kernel.org fix is here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

Debian has the CVE-2018-5390 TCP DoS info here: https://security-tracker.debian.org/tracker/CVE-2018-5390.

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2018-5390

Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port. Thus, the attacks cannot be performed using spoofed IP addresses.

https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e

The following CVEs were announced in Debian Security Advisory DSA-4269-1 and affect the postgresql package.

CVE-2018-10925 is fixed in Cumulus RMP 3.7.0. CVE-2018-10915 will be fixed when it's fixed upstream.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4269-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 10, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : postgresql-9.6

CVE ID : CVE-2018-10915 CVE-2018-10925

Two vulnerabilities have been found in the PostgreSQL database system:

CVE-2018-10915

Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects.

CVE-2018-10925

It was discovered that some "CREATE TABLE" statements could disclose server memory.

For additional information, refer to the upstream announcement at https://www.postgresql.org/about/news/1878/

For the detailed security status of postgresql-9.6, refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-9.6

https://security-tracker.debian.org/tracker/source-package/postgresql-9.4

https://security-tracker.debian.org/tracker/CVE-2018-10915

https://security-tracker.debian.org/tracker/CVE-2018-10925

CVE-2018-10925 is listed as fixed in jessie source package: 9.4.19-0+deb8u1

By default, the nginx server used for the HTTP API on port 8080 is enabled, but does not listen to external requests. However, it appears to be listening and answering external requests.

This issue is fixed in Cumulus RMP 3.7.0.

Whenever there is a netlink link event, mstpd prints an additional log: bridge_notify: port 65: no_flush 0 where 65 is the ifIndex. There are already clear logs when there is a link transition; this log is not necessary.

This issue is fixed in Cumulus RMP 3.7.0.

Counter samples exported from the switch show an incorrect interface speed.

This is a known issue that is currently being investigated.

Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.

This is a known issue that is currently being investigated.

If a two nodes on both sides of a link change from auto-negotiation off to auto-negotiation on for both sides during a short interval (around one second), the link might start flapping or stay down.

To work around this issue and stop the flapping, turn the link down on the switch with the command ifdown swpX, wait a few seconds, then bring the link back up with the command ifup swpX. Repeat this on the other side if necessary.

When sFlow is enabled, some sampled packets, such as IPMC, are forwarded twice (in the ASIC and then again through the kernel networking stack).

This is a known issue that is currently being investigated.

There is a parsing error with the smonctl utility. In some cases when JSON output is chosen, the smonctl utility crashes. The JSON output is necessary to make the information available through SNMP.

This is a known issue that is currently being investigated.

The dhcrelay command does not bind to an interface if the interface's name is longer than 14 characters.

To work around this issue, change the interface name to be 14 or fewer characters if dhcrelay is required to bind to it.

This is a known issue that is currently being investigated.

If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.

This is a known issue that is currently being investigated.

PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.

This is a known issue that is currently being investigated.

In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.

To work around this issue, change the value of arp_ignore to 2. See Default ARP Settings in Cumulus Linux for more information.

SNMPv3 TRAP passwords or encryption keys longer then 16 characters might result in a core dump. For example:

net add snmp-server trap-destination 3.3.3.3 username 
verlongtrapusername auth-md5 verylongmd52345678901234567890 
encrypt-aes verylongencrypt567890123456789012345678 
engine-id 0x80001f8880f49b75319690895b00000000

# this results in a core dump:
root@cel-redxp-01:/home/cumulus# systemctl status  snmpd
   snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/lib/systemd/system/snmpd.service; enabled)
   Active: failed (Result: core-dump) since Wed 2018-09-05 16:18:05 UTC; 1min 25s ago
  Process: 21163 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=dumped, signal=SEGV)
 Main PID: 21163 (code=dumped, signal=SEGV)
Sep 05 16:18:05 cel-redxp-01 systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..

Sep 05 16:18:05 cel-redxp-01 systemd[1]: snmpd.service: main process exited, code=dumped, status=11/SEGV
Sep 05 16:18:05 cel-redxp-01 systemd[1]: Unit snmpd.service entered failed state.

To work around this issue, use SNMPv3 TRAP passwords and encryption keys that are 16 characters or shorter.

This is a known issue that is currently being investigated.

If a packet to an unknown IP address (but known network) enters the switch and matches an INPUT ACL rule, it is redirected  for ARP and the counters increment for that rule, but it does not perform the action. This only happens until the ARP reply is sent, and then the traffic is forwarded properly.

To work around this issue, change the rules to INPUT,FORWARD instead of INPUT. Drops should then be logged properly.

This is a known issue that is currently being investigated.

The /etc/restapi.conf file is not listed in the net show configuration files command output.

This is a known issue that is currently being investigated.

When you add ports as bridge ports multiple times with the NCLU cmmand, the commits succeed without error.

To work around this issue, remove the extra interfaces with the net del bridge bridge ports <interface> command.

This is a known issue that is currently being investigated.

When you configure SNMP with NCLU commands, the SNMP server does not restart and you see a warning:

WARNING: snmpd is not running.  Run "journalctl -u snmpd" for error messages.

To work around this issue, start SNMP manually.

This is a known issue that is currently being investigated.

Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed.

This issue is currently being investigated.

The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes.

This issue is currently being investigated.