Cumulus Linux 4.2 Release Notes
Download all 4.2 release notes as .xls4.2.1 Release Notes
Open Issues in 4.2.1
Issue ID | Description | Affects | Fixed |
---|---|---|---|
3351951 |
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0 |
3330705 |
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. |
3.7.0-5.3.1 | 5.4.0 |
3330654 |
When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus ), the user name mapping might be incorrect; for example, the user name shown in the default prompt might be incorrect. When you use NVUE, this occurs when the priority for the authentication order of local is higher than tacacs . |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.4.0 | |
3327477 |
Using su to change to a user specified through TACACS+ results in becoming the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. When sudo asks for the password of the named user, it is unlikely to match that of the local tacacs0 thru tacacs15 user. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.4.0 | |
3291548 |
In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd . |
4.2.1-4.4.5 | 5.0.0-5.4.0 |
3234031 |
If BGP neighbor is set, negating with no no neighbor does not disable the setting. To work around this issue and disable the setting, restart the FRR service. |
4.2.1-5.2.1 | 5.3.0-5.4.0 |
3216922 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). |
3.7.0-5.2.1 | 5.3.0-5.4.0 |
3216759 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-4.4.4 | 4.4.5 |
3209699 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.4.0 |
3135801 |
Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. |
4.0.0-4.3.0, 4.4.0-4.4.5 | 3.7.16, 4.3.1 |
3123556 |
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. |
3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.4.0 |
3119615 |
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic. | 3.7.15-5.1.0 | 5.2.0-5.4.0 |
3093863 |
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. |
3.7.16-4.4.3 | 4.4.4-4.4.5, 5.2.0-5.4.0 |
3089165 |
A slow memory leak might occur in switchd } if the route fails to install in hardware when hardware resources are exhausted. |
4.2.1-4.4.3 | 4.4.4-4.4.5 |
3077737 |
The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errorsTo work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services. |
3.7.15-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5 |
3066704 |
The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of timeTo work around this issue, restart the hostapd service with the systemctl restart hostapd command. |
3.7.15-4.3.0 | 4.3.1-4.4.5 |
3053197 |
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. |
4.2.1-4.4.5, 5.0.0-5.4.0 | |
3046023 |
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. |
4.2.1-5.1.0 | 5.2.0-5.4.0 |
3021693 |
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN. |
3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.4.0 |
3007564 |
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. |
3.7.15-5.0.1 | 5.1.0-5.4.0, 5.2.0-5.4.0 |
2999341 |
CVE-2021-3570The ptp4l program in linuxptp, an implementation of the Precision Time Protocol (PTP), does not validate the messageLength field of incoming messages, allowing a remote attacker to cause a denial of service, information leak, or potentially remote code execution Fixed: 1.9.2-1+deb10u1 |
4.2.1-4.4.1 | 4.4.2-4.4.5 |
2991514 |
Cumulus Linux can take a long time (100 seconds) to sync a large number of VNIs on a bridge. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
2968495 |
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. |
4.2.1-4.4.2 | 4.4.3-4.4.5, 5.1.0-5.4.0 |
2961008 |
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. |
3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.4.0 |
2959067 |
ECMP produces errors indicating No More Resources and switchd crashes even when ECMP utilization is low. |
3.7.14.2-4.2.1 | 4.3.0-4.4.5 |
2951110 |
The net show time ntp servers command does not show any output with management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.4.0 | |
2949512 |
On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
2943443 |
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd , expect a single VNI for a given bridge or VLAN. |
3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.4.0 |
2940063 |
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | 3.7.16, 4.3.1-4.4.5, 5.0.0-5.4.0 |
2940052 |
When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15, 4.2.1-4.3.0 | 3.7.16, 4.3.1-4.4.5 |
2906967 |
You can’t have more than one VLAN subinterface on the same port on the same bridge. | 4.1.1-4.3.0 | 4.3.1-4.4.5 |
2902013 |
The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | |
2899422 |
Broadcom switches return a table full error when creating VXLAN gports, which causes {switchd to crash. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
2896733 |
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send. To work around this issue, run the vtysh clear ip mroute command. |
3.7.15-4.3.0, 5.0.0-5.0.1 | 4.3.1-4.4.5, 5.1.0-5.4.0 |
2893895 |
CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 |
4.0.0-4.3.1 | 4.4.0-4.4.5, 5.1.0-5.4.0 |
2891255 |
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 |
4.0.0-4.4.1, 5.0.0-5.4.0 | 4.4.2-4.4.5 |
2890681 |
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 |
4.0.0-4.4.1, 5.0.0-5.4.0 | 4.4.2-4.4.5 |
2875338 |
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.4.0 |
2875296 |
On a Mellanox Spectrum-2 switch, after running the systemctl restart networking service command on the MLAG primary switch, the secondary switch also closes its ports. To work around this issue, run the ifreload -a command to restart networking. |
4.2.1-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2867058 |
On the Dell Z9264F-ON switch, interfaces that use the QSFP28 module remain down after you restart switchd . |
3.7.15-4.3.0 | 4.3.1-4.4.5 |
2866084 |
When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del dev command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:$ cat /etc/network/ifupdown2/policy.d/vxlan.jsonReboot the affected switches. |
3.7.12-4.3.0 | 4.3.1-4.4.5 |
2859177 |
The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): |
3.7.15-4.4.1 | 4.4.2-4.4.5 |
2845531 |
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address. |
4.2.1-4.4.5 | 5.0.0-5.4.0 |
2840819 |
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts). | 4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5, 5.0.0-5.4.0 |
2821869 |
The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): |
3.7.15-4.4.5 | 5.0.0-5.4.0 |
2816069 |
On the EdgeCore AS7326 switch, unicast ARP requests are not forwarded to the control plane. | 4.2.1-4.3.0 | 4.3.1-4.4.5 |
2792750 |
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. |
3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1 |
2782033 |
The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function More details at https://www.openssl.org/news/secadv/20210824.txt Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2755615 |
When route_preferred_over_neigh is set to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. |
4.0.0-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.4.0 |
2754691 |
CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking) Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2754685 |
CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2754679 |
CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code Vulnerable: <= 5.50-1.2~deb10u1Fixed: 5.50-1.2~deb10u2 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2753955 |
On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.4.0 |
2747605 |
CVE-2021-3246: a buffer overflow in libsndfile, a libraryfor reading/writing audio files, which could result in denial of serviceor potentially the execution of arbitrary code when processing amalformed audio file Vulnerable: 1.0.28-6Fixed: 1.0.28-6+deb10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2743186 |
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. |
3.7.15-5.1.0 | 5.2.0-5.4.0 |
2739690 |
CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure Vulnerable: 1.24.1-1Fixed: 1.24.1-1+deb 10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2739639 |
CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST Vulnerable: <= 1.17-3+deb10u1Fixed: 1.17-3+deb10u2 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2736265 |
After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. |
3.7.12-3.7.15, 4.2.1-4.3.0 | 3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
2734122 |
CVE-2021-33910: The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memorycorruption, allowing to crash systemd and hence the entire operating system. Details can be found at https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt Vulnerable: <= 241-7~deb10u7Fixed: 241-7~deb10u8 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2734107 |
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.4.1 | 4.4.2-4.4.5 |
2730225 |
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5 |
2728207 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728206 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728205 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
2728138 |
CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets. Vulnerable: <= 2.4.47+dfsg-3+deb10u4 Fixed: 2.4.47+dfsg-3+deb10u5 |
4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2728134 |
CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.47+dfsg-3+deb10u5 Fixed: 2.4.47+dfsg-3+deb10u6 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2716822 |
The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. |
3.7.15-4.3.0 | 4.3.1-4.4.5 |
2713888 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-5.0.1 | 5.1.0-5.4.0 |
2711533 |
On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | |
2710208 |
The net show bgp neighbor command output shows the BFD status as UP even when the BGP neighbor is not established, such as when the interface is down. |
4.2.1-4.4.5 | |
2699399 |
When you run the vtysh show ip bgp vrf command, the bgpd service crashes if you use vrf all . For example:spine01# show ip bgp vrf all statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!To workaround this issue, run the command against each VRF independently. |
3.7.15, 4.0.0-4.3.0 | 3.7.16, 4.3.1-4.4.5 |
2695526 |
CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2687332 |
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2687159 |
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2685994 |
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to applyTo work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 |
4.0.0-5.0.1 | 5.1.0-5.4.0 |
2685584 |
A host migrated to an 802.1x port within the same broadcast domain does not have the correct static FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain. | 4.2.1-4.3.0 | 4.3.1-4.4.5 |
2682971 |
CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2682780 |
Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. |
4.2.0-4.3.1 | 4.4.0-4.4.5 |
2679950 |
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 |
3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5 |
2677049 |
CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687: Several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, could result in denial of service, cache poisoning or the execution of arbitrary code. | 4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2671667 |
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2669858 |
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2666838 |
CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2663479 |
CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2656527 |
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2654715 |
The cl-acltool takes a significant amount of time to run, which can slow down automation scripts. |
4.2.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2652003 |
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. |
3.7.10-4.3.0 | 4.3.1-4.4.5 |
2648658 |
If you try to use more than one percent of max-ecmp-nexthops , you get an error indicating a failure. |
3.7.15-4.3.1 | 4.4.0-4.4.5 |
2648587 |
The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
2644053 |
The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2633062 |
The following vulnerability affects the libgstreamer-plugins-base1.0-0 package. There is no CVE yet; the Debian advisory number is DSA-4903-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: 1.14.4-2Fixed: 1.14.4-2+deb10u1 |
4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2617000 |
CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616998 |
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616987 |
CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616976 |
Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION) CVE-2020-8286: failure to verify that OSCP response matches intended certificate CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616967 |
CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616964 |
CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616954 |
CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2614016 |
The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.1 | 4.4.0-4.4.5 |
2578872 |
CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2578870 |
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2578845 |
The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. |
3.7.11-3.7.14, 4.1.1-4.3.0 | 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
2574368 |
When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedlyTo work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr . |
4.1.1-4.4.5 | |
2566880 |
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5 |
2564534 |
Several vulnerabilities have been discovered in the GRUB2 bootloader CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2556782 |
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 |
3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5 |
2556777 |
CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence. Vulnerable: 4.6.2-3 Fixed: 4.6.2-3+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2556775 |
DSA-4859-1 (no CVE): zstd, a compression utility, was vulnerable to a race condition: it temporarily exposed, during a very short timeframe, a world-readable version of its input even if the original file had restrictive permissions. Vulnerable: <= 1.3.8+dfsg-3+deb10u1 Fixed: 1.3.8+dfsg-3+deb10u2 |
4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2556772 |
The net show clag verify-vlans command fails with the following log:
To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. |
4.2.1-4.4.5 | |
2556764 |
In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
2556730 |
CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code. Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2 Fixed: 9.11.5.P4+dfsg-5.1+deb10u3 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2556691 |
The following vulnerabilities have been announced in the openssl packages: CVE-2021-23840: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. CVE-2019-1551: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Vulnerable: <= 1.1.1d-0+deb10u4 Fixed: 1.1.1d-0+deb10u5 |
4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2556569 |
DSA-4850-1 (no CVE): libzstd adds read permissions to files while being compressed or uncompressed. Vulnerable: 1.3.8+dfsg-3 Fixed: 1.3.8+dfsg-3+deb10u1 |
4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2556500 |
Cumulus Linux does not support bond members at 200G or greater. | 4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2556462 |
When you remove a fan tray, smonctl and sensors display different information about the removed fans. |
4.2.1-4.3.0 | 4.3.1-4.4.5 |
2556369 |
If you use NCLU to configure an ACL for eth0, you can’t designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with “-A INPUT -i eth0”. |
4.2.1-4.4.5 | |
2556279 |
CVE-2021-3156: A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. Vulnerable: <= 1.8.27-1+deb10u2 Fixed: 1.8.27-1+deb10u3 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2556217 |
The following vulnerability affects lldpd: CVE-2020-27827: A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine. Fixed: 1.0.4-0-cl4.3.0u2 |
3.7.14-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2556215 |
When you run any of the vtysh show bgp ipv4 or show bgp ipv6 statistics commands, the bgpd service crashes. |
4.2.1 | 4.3.0-4.4.5 |
2556082 |
The NCLU net del vrf command does not delete a numbered VRF. For example:
|
4.2.1-4.4.5 | |
2556081 |
You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | |
2556010 |
On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. |
3.7.14, 4.0.0-4.4.5 | 3.7.14.2-3.7.16 |
2555932 |
On Mellanox switches, you can’t ping the SVI of the MLAG peer over the peer link after the packet is VXLAN decapsulated. | 4.2.1-4.3.0 | 4.3.1-4.4.5 |
2555761 |
The following vulnerabilities were announced in the p11-kit (libp11-kit0) packages: CVE-2020-29361: Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc. CVE-2020-29362: A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation. CVE-2020-29363: A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value. Vulnerable: 0.23.15-2 Fixed: 0.23.15-2_deb10u1 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2555690 |
The NET-SNMP-EXTEND-MIB, disabled in Cumulus Linux 4.2.1 and 3.7.14 to prevent security vulnerability CVE-2020-15862, is re-enabled read-only. | 3.7.14-3.7.14.2, 4.2.1-4.4.5 | 3.7.15-3.7.16 |
2555613 |
The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:
The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). |
4.2.1-4.4.5 | |
2555588 |
You can’t delete a BGP community list created with NCLU. | 4.2.1-4.4.5 | |
2555531 |
QinQ (802.1Q) packets routed to a layer 3 subinterface are still double tagged with the VLAN of the subinterface and the original inner VLAN when they leave the subinterface. | 4.2.0-4.4.5 | 3.7.15-3.7.16 |
2555528 |
In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer. To work around this issue, increase the burst value of the ARP policers to 200 or higher. |
3.7.14-4.2.1 | 4.3.0-4.4.5 |
2555484 |
ospf6d restarts when you run the NCLU net show ospf6 databse command or the vtysh show ipv6 ospf6 database command. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2555428 |
When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a , the 802.1Q ID for the SVI in the kernel does not change.This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown , then ifup for the SVI to recreate the interface. |
3.7.13-3.7.15, 4.2.1-4.4.5 | 3.7.16 |
2555426 |
Broadcom switches running Cumulus Linux do not support EVPN Multihoming. When a BGP update with EVPN multihoming attributes is received, switchd crashes. EVPN Multihoming is supported on Mellanox switches only. |
4.2.1 | 4.3.0-4.4.5 |
2555400 |
On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2555380 |
When you start asic-monitor , you might see increasing memory usage. |
4.2.1 | 4.3.0-4.4.5 |
2555373 |
CVE-2020-27350: Missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files. CVE-2020-27351: Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service. Vulnerable: apt <= 1.8.2.1, python-apt <= 1.8.4.1 Fixed: apt 1.8.2.2, python-apt 1.8.4.3 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2555339 |
The following vulnerability has been announced in OpenSSL: CVE-2020-1971: A flaw in the GENERAL_NAME_cmp() function could cause a NULL dereference when both GENERAL_NAMEs contain an EDIPARTYNAME, resulting in denial of service. More information can be found at https://www.openssl.org/news/secadv/20201208.txt . Vulnerable: <= 1.1.1d-0+deb10u3 Fixed: 1.1.1d-0+deb10u4 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2555223 |
An EVPN route map filter matching a VNI on egress on the originating router might not set a large-community correctly:
To work around this issue, remove the VNI match to allow the tag to be applied on egress. The VNI match works if applied at some other non-originating router either in the ingress or egress direction. |
4.2.1 | 4.3.0-4.4.5 |
2554990 |
When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes. To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. |
3.7.13-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2554986 |
The ethtool utility doesn’t contain the latest values, as a result the Revision Compliance field shows Unallocated . |
4.2.1-4.4.5 | |
2554982 |
CVE-2020-28196: MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit. Vulnerable: 1.17-3 Fixed: 1.17-3+deb10u1 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2554866 |
On the Mellanox SN3420 switch, 1000BaseT and 1000Base-SX/LX modules do not link up. | 4.2.1 | 4.3.0-4.4.5 |
2554834 |
CVE-2020-25709, CVE-2020-25710: Two vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.47+dfsg-3+deb10u3 Fixed: 2.4.47+dfsg-3+deb10u4 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2554812 |
If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. |
4.2.1-4.4.5 | |
2554809 |
Some non-Mellanox ethernet modules do not link up on the Mellanox SN3420 switch with Cumulus PSID in the Hardware revision. To see if a Mellanox SN3420 switch has the Cumulus PSID, check the output of mlxfwmanager for MSN3420-CxxxC_Ax in the Part Number Field. A Mellanox SN3420 switch with MSN3420-CxxxO_Ax has an Onie PSID and is unaffected by this issue.To work around this issue, use Mellanox ethernet modules with the Mellanox SN3420 switch, |
4.2.1-4.4.5 | |
2554798 |
On the Mellanox SN3700C switch, PIM multicast packets are duplicated at the egress VTEP. | 4.2.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2554785 |
After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command4. Reboot the switch. |
3.7.11-4.2.1 | 4.3.0-4.4.5 |
2554783 |
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as , advertised locally-originated routes have the ASN of the peer prepended to the AS path.This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. |
4.2.1-4.4.5 | 5.0.0-5.4.0 |
2554730 |
In an EVPN multihoming configuration, reloading FRR causes brief traffic loss. | 4.2.1 | 4.3.0-4.4.5 |
2554720 |
If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. |
3.7.12-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2554711 |
On the Mellanox SN3700C switch, running cl-support with a large number of ports configured can cause switchd to crash. |
4.2.1 | 4.3.0-4.4.5 |
2554709 |
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. |
3.7.13-3.7.16, 4.2.1-4.4.5 | |
2554707 |
On the Dell S5048F-ON switch, optical transceivers do not come up and the modules are in reset mode. | 4.0.0-4.2.1 | 4.3.0-4.4.5 |
2554588 |
If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is runningTo work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:DHCPD_PID="-pf {0}”to: DHCPD_PID="-pf {1}" |
3.7.13-4.2.1 | 4.3.0-4.4.5 |
2554582 |
On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | |
2554533 |
On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | |
2554503 |
If the peer link does not trunk all VLANs on an MLAG bond, all FDB entries learned through that MLAG bond are not redirected over the peer link when the MLAG bond goes down. As a result, traffic destined to the MAC addresses that arrives on the MLAG peer with the downed MLAG port is dropped. To work around this issue, ensure that the peer link trunks all VLANs that exist on all MLAG bonds. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2554466 |
Kernel routes added by iproute2 are missing in FRR after an interface flap.To work around this issue, configure a static route in FRR. |
4.2.1-4.4.5 | |
2554401 |
On the Mellanox SN4600C switch, the fan speed fluctuates when only one PSU is plugged in. To work around this issue, use both PSUs. |
4.2.1 | 4.3.0-4.4.5 |
2554369 |
Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2554333 |
The INPUT chain POLICE target acts as ACCEPT instead of continue. | 4.2.1-4.4.5 | |
2554299 |
In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.1 | 4.4.0-4.4.5 |
2554292 |
With traditional bridges, a race condition occurs when Cumulus Linux tries to derive MAC addresses. To work around this issue, use a static MAC address; specify a MAC address in the /etc/network/interfaces file under the bridge’s stanza. |
4.2.1 | 4.3.0-4.4.5 |
2554258 |
Interfaces configured to get an IP address with DHCP try only three times to secure a DHCP lease (instead of retrying indefinitely). If unsuccessful after the third try, the switch stops trying. | 4.2.1-4.4.5 | |
2554253 |
After upgrading the Mellanox SN2410 switch, the FAN is set to full speed. | 4.2.1 | 4.3.0-4.4.5 |
2554246 |
When you back up and restore a configuration using the conf-backup utility, the switch might hang when rebooted. | 4.1.1-4.2.1 | 4.3.0-4.4.5 |
2554222 |
The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the /etc/network/interface file. For example:
|
4.2.1-4.4.5 | |
2554218 |
MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | |
2554202 |
The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. |
4.2.1-4.4.5 | |
2553989 |
Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | |
2553952 |
On Mellanox Spectrum based switches running 4.1.0 or higher, if FORWARD chain ACLs are configured on the system, a switch port breakout action applied with a reload of the switchd service may cause switchd to crash. | 4.2.0-4.4.5 | |
2553887 |
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2553747 |
On switches with the Spectrum ASIC, the IPv6 default route might be present in the kernel but missing in hardware when IPv6 RAs are received on SVIs configured with ip-forward off . |
3.7.11-3.7.14.2, 4.2.1-4.4.5 | 3.7.15-3.7.16 |
2553742 |
The next hop for static routes configured in a non-default VRF might be incorrectly flagged as inactive. Remove and reconfigure the static VRF route to recover from this condition. | 4.2.1-4.4.5 | |
2553731 |
A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI. | 3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2553677 |
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. |
3.7.13-3.7.16, 4.0.0-4.4.5 | |
2553586 |
Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn’t exist. To work around this issue, disable IGMP snooping on the switch. |
3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2553568 |
After a MAC address moves from one remote VTEP to another, the MAC address continues to point to the old VTEP IP address in hardware. | 4.1.1-4.2.1 | 4.3.0-4.4.5 |
2553529 |
In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the sudo systemctl restart frr.service command. |
3.7.10-3.7.13, 4.1.1-4.4.5 | 3.7.14-3.7.16 |
2553468 |
Digital Optical Monitoring (DOM) Data is displayed incorrectly on SFP fiber modules inserted in the Fiberstore N8500-48B6C, Celestica Questone, and Celestica RedstoneV switches. | 4.2.0-4.2.1 | 4.3.0-4.4.5 |
2553449 |
On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT. To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously. |
3.7.12-3.7.13, 4.2.1-4.4.5 | 3.7.14-3.7.16 |
2553349 |
When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number. To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2553278 |
Leaked routes are sometimes missing from the destination VRF after a reboot. | 4.2.0-4.2.1 | 4.3.0-4.4.5 |
2553237 |
The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. |
4.2.0-4.4.5 | |
2553228 |
On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform. | 3.7.12-3.7.13, 4.2.1-4.4.5 | 3.7.14-3.7.16 |
2553219 |
You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
2553118 |
The Dell 100G-LR4 (Innolight) transceiver cannot link up due to a power budget exceeded error on the Mellanox SN4600C switch. | 4.2.0-4.2.1 | 4.3.0-4.4.5 |
2553116 |
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2553015 |
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. |
3.7.10-3.7.16, 4.2.0-4.4.5 | |
2552939 |
RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
2552880 |
IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped. To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports. |
3.7.13, 4.2.1-4.4.5 | 3.7.14-3.7.16 |
2552869 |
On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.To work around this issue, use the ethtool -m command. |
3.7.13-4.2.1 | 4.3.0-4.4.5 |
2552853 |
Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2552744 |
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks CVE-2020-14351 CVE-2020-29660 CVE-2020-29661 CVE-2020-25704 CVE-2020-28974 CVE-2020-25705 CVE-2020-28915 CVE-2020-25211 CVE-2019-19338 CVE-2020-0305 CVE-2019-18885 CVE-2019-19072 CVE-2020-12652 CVE-2020-24394 CVE-2020-25641 CVE-2019-3874 CVE-2019-5489. (CVE-2020-27825 CVE-2020-29369 CVE-2020-29372 CVE-2020-29534 are not applicable to Cumulus Linux)For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2552742 |
On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.To work around this issue, restart switchd . |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2552710 |
The MLAG bonds on a secondary switch do not change to a unique MAC address on the peerlink. As a result, a backup double failure can occur where both peers go down. | 4.2.0-4.2.1 | 4.3.0-4.4.5 |
2552704 |
In a traditional bridge configuration with ip-forward off , neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. |
3.7.10-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2552691 |
On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface. To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. |
4.2.0-4.4.5 | |
2552687 |
When you boot Cumulus VX 4.2 for the first time, ZTP does not execute because it thinks that the /etc/shadow file has been modified. This is due to the default password change implemented in CL 4.2.To work around this issue, boot the switch, manually change the password, then run sudo ztp -R to reset the ZTP script. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2552527 |
Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2552453 |
On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file. |
4.2.0-4.4.5 | |
2552354 |
On the Mellanox SN4700 switch, you might see Bad signal integrity issues on 200G and 400G ports. | 4.2.1 | 4.3.0-4.4.5 |
2552309 |
The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:
These messages are for internal validation purposes only and can be safely ignored. |
4.2.0-4.4.5 | |
2552294 |
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2552266 |
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar , zip , or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp , which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2551873 |
If you have an existing community list of any type, redefining the same sequence number results in the entire community list being deleted. To work around this issue, delete the community list sequence before trying to adjust it. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2551747 |
In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings. |
3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2551687 |
When you run cl-ecmpcalc to determine a hardware hash result, tests might fail. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2551666 |
If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:
|
4.1.0-4.4.5 | |
2551578 |
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload /ifup commands fail with an invalid table id or unable to get vrf table id error. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2551565 |
If you toggle VRRP priority values between VRRP routers, then restart switchd , a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. |
3.7.13-3.7.16, 4.2.0-4.4.5 | |
2551422 |
On Mellanox switches with the Spectrum-2 switch, the lpm-balanced forwarding profile does not work. | 4.1.1-4.2.1 | 4.3.0-4.4.5 |
2551335 |
When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. |
4.0.0-4.4.5 | |
2551305 |
The net show configuration command provides the wrong net add command for ACL under the VLAN interface. |
3.7.12-3.7.16, 4.1.0-4.4.5 | |
2551273 |
On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | |
2551221 |
When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport’s IP address don’t reach switchport. To capture packets directed towards switcport’s IP, disable span-to-cpu and use tcpdump on swichport instead. | 4.2.0-4.4.5 | |
2551187 |
dot1qVlanIndex in the dot1qVlanStaticTable of the SNMP Q-BRIDGE-MIB does not use VLAN ID and does not comply with RFC 4363. | 4.1.1-4.2.1 | 4.3.0-4.4.5 |
2551124 |
When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere. This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware. To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:
If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:
|
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2551111 |
If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state. zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. |
4.0.0-4.4.5 | |
2550974 |
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
2550973 |
After you enable ROCE with the net add interface command, you cannot verify the command because it is not shown in the net show config command output. |
4.1.1-4.2.1 | 4.3.0-4.4.5 |
2550906 |
After you delete a bond, the deleted bond members have the deleted bond MAC address instead of their original MAC address, which might result in traffic being discarded. To work around this issue, perform a full switch restart. |
4.1.1-4.2.1 | 4.3.0-4.4.5 |
2550796 |
On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero. To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2550793 |
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550713 |
Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration. |
4.1.1-4.4.5 | |
2550642 |
ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches | 4.2.0-4.4.5 | |
2550444 |
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550443 |
The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550374 |
CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP. This issue is resolved in Cumulus Linux 3.7.14. |
3.7.9-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2550348 |
Due to a known limitation, DHCPv6 snooping is not supported on Mellanox platforms. Please refer the Mellanox support case |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2550276 |
In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2550243 |
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service . For example:
|
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550056 |
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549925 |
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549872 |
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. |
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549838 |
In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel. If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel. To work around this issue, delete, then re-add the missing VNI. For example:
If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2549784 |
On Mellanox switches, when the networking service and switchd starts up, a rare condition might occur where switchd crashes and the following log message is generated:
|
4.1.0-4.2.1 | 4.3.0-4.4.5 |
2549782 |
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549731 |
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549392 |
When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file. To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. |
4.1.0-4.4.5 | |
2549371 |
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. |
3.7.11-4.3.1 | 4.4.0-4.4.5 |
2549225 |
You might see the following gport error messages in switchd.log :
These messages are harmless and can be ignored. |
3.7.12-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2548930 |
On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
2548924 |
On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | |
2548672 |
When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. |
3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
2548657 |
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548579 |
The following security vulnerability has been announced: CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. |
3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16 |
2548485 |
If you configure the aggregate-address summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:router bgp 1If you add network 50.0.0.1/32 , you see the following (expected) BGP table entries:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,To work around this issue, remove, then re-add the component prefix routes. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2548408 |
net show configuration commands does not show the RoCE net add interface configuration. |
4.1.0-4.2.1 | 4.3.0-4.4.5 |
2548315 |
The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid . |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548310 |
When the system boots, we might see " cumulus systemd-udevd[7566]: Process ‘/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25’ failed with exit code 1" errors. These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later; |
4.1.0-4.4.5 | |
2548260 |
The net add routing route-map command does not add the set statement into the /etc/frr/frr.conf file. |
4.0.0-4.4.5 | |
2548243 |
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
2548117 |
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548062 |
When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches). | 4.1.0-4.4.5 | |
2548044 |
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
2547903 |
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1 |
4.0.0-4.4.5 | |
2547890 |
QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | |
2547782 |
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547706 |
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd . To work around this issue, reboot the switch. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547405 |
When you restart the hsflowd service, you see a systemd warning message similar to the following:
|
4.0.0-4.4.5 | |
2547120 |
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547068 |
Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX . For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off” , change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0” 2. Run sudo update-grub 3. Reboot the system with sudo reboot To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library) The first field above should read ii . If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3 2. Disable C-states by running the command ./cpupower idle-set -d 2 C-states are disabled by default in Cumulus Linux 4.3.0 and later. |
3.7.9-4.2.1 | 4.3.0-4.4.5 |
2546991 |
The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546895 |
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546874 |
On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. |
4.0.0-4.4.5 | |
2546255 |
On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | |
2546225 |
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer , which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546131 |
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2545837 |
If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server command, the /etc/ntp.conf file is misconfigured.To work around this issue, run the net add time ntp server command before you run the net add time ntp source command. |
3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2545520 |
The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2545239 |
On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.1 | 4.4.0-4.4.5 |
2545233 |
On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | |
2545125 |
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544978 |
If you delete an undefined bond, then add a bond slave, the net commit command fails. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544968 |
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544957 |
NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | |
2544953 |
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit , the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. |
3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544880 |
When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. |
4.0.0-4.4.5 | |
2544723 |
Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2544463 |
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported .To work around this issue, do not use auto-negotiation and set the local port speed to 10G. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544456 |
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544311 |
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544155 |
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544113 |
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2543937 |
An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2 . |
3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543900 |
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543841 |
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. |
3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543816 |
On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. |
3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2543781 |
NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543724 |
If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543647 |
ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
|
3.7.6-4.2.1 | 4.3.0-4.4.5 |
2543646 |
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
2543401 |
On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. |
4.0.0-4.4.5 | |
2543211 |
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2543164 |
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2543096 |
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542945 |
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad :
|
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542837 |
On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16 |
2542305 |
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542301 |
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2541212 |
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2541029 |
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540753 |
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
|
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540444 |
SNMP incorrectly requires engine ID specification. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540352 |
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2540340 |
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540274 |
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540204 |
When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540192 |
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled. To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540155 |
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2540042 |
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails. To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540041 |
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540040 |
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540031 |
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2539994 |
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539962 |
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2539670 |
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539124 |
The net add interface command adds no ptm-enable for that interface in the frr.conf file. Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538790 |
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG. To restore connectivity, remove the VLAN ID from the bridge. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538590 |
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538562 |
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings. Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538294 |
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2537699 |
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2537544 |
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl ; for example, SNMP output from the BRIDGE-MIB. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2536576 |
If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware. |
4.0.0-4.4.5 | |
2536384 |
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2536256 |
For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
These packets are now policed by catch all rules. To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100. |
4.0.0-4.4.5 | |
2536242 |
On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. | 4.0.0-4.4.5 | |
2536179 |
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535986 |
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535965 |
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535723 |
The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF. | 4.0.0-4.4.5 | |
2535605 |
FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor. To work around this issue, add ttl-security to individual neighbors instead of the peer group. |
4.0.0-4.4.5 | |
2535209 |
The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. |
3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2534977 |
On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2534734 |
Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | |
2533691 |
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2533625 |
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. |
4.0.0-4.4.5 | |
2533337 |
When you use NCLU to bring a bond admin down (net add bond ), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.To work around this issue, use the sudo ifdown command. |
4.0.0-4.4.5 | |
2531273 |
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information. |
4.0.0-4.4.5 |
Fixed Issues in 4.2.1
Issue ID | Description | Affects |
---|---|---|
2556037 |
After you add an interface to the bridge, an OSPF session flap might occur |
3.7.9-4.2.0 |
2553301 |
Certain IPv6 routes may be present in the kernel but missing in hardware, and you may also see the following log messages in /var/log/switchd.log:sync_route.c 5255 WARN 3 routes reverted to non-ECMP due to NH table capacityeven though cl-resources-query does not reflect that the ECMP NH table is full. The reason is that a temporary/artificial ECMP container exhaustion occurs due to a churn in routes and how switchd cleans up the routes, nexthops and RIFs. While performing this route cleanup operation, if switchd tries to delete a RIF and is unable to (since there are ECMP next-hops pointing to it which are yet to be deleted) it puts the RIF in a pending list. So, as a result, all of the ECMP next-hops pointing to the RIF also would be pending deletion. As a result, RIFs and dependent ECMP next-hops linger on the pending list until the next RIF sync is done, at which point the next-hops are freed up and the routes get installed as expected. | 4.2.0 |
2553115 |
On the Mellanox SN4700 switch, certain port speeds operate in both NRZ and PAM4 mode. However, Cumulus Linux currently supports only one of the two possible modes listed below. Use the optics accordingly. * Port speeds 40G, 2x40G, 50G, 2x50G, 100G, 2x100G work in NRZ mode. * Port speeds 4x50G, 8x50G, 4x100G, 200G, 2x200G, 400G work in PAM4 mode. |
|
2552858 |
The following vulnerabilities have been announced in the BIND9 server, which is available for optional installation: CVE-2020-8619: an asterisk character in an empty non-terminal can cause an assertion failure, resulting in denial of service. CVE-2020-8622: a truncated TSIG response can lead to an assertion failure, resulting in denial of service. CVE-2020-8623: a flaw in the native PKCS#11 code can lead to a remotely triggerable assertion failure, resulting in denial of service. CVE-2020-8624: update-policy rules of type “subdomain” are enforced incorrectly, allowing updates to all parts of the zone along with the intended subdomain. Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u1 Fixed: 9.11.5.P4+dfsg-5.1+deb10u2 |
4.0.0-4.2.0 |
2552855 |
FDB entries with type static are installed in hardware as dynamic entries with no aging instead of truly static, which might result in the entries being occasionally flushed from hardware and the kernel. For example, this might happen when a port is in the STP Blocking state during a MAC sync. | 4.2.0 |
2552817 |
CVE-2020-11724: An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API. Vulnerable: <= 1.14.2-2+deb10u2 Fixed: 1.14.2-2+deb10u3 |
4.0.0-4.2.0 |
2552646 |
When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding. To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. |
3.7.10-3.7.13, 4.2.0 |
2552610 |
The following vulnerability has been announced: CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c . |
3.7.13-4.2.0 |
2552607 |
The following vulnerability has been announced: CVE-2019-20892: net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. Fixed: 5.8.0-cl4.2.1u1, 5.8.0-cl3.7.14u1 |
3.7.13, 4.0.0-4.2.0 |
2552555 |
The following vulnerability has been announced: CVE-2019-20795: iproute2 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. Vulnerable: <= 4.19.0-cl4u3 |
4.0.0-4.2.0 |
2552524 |
If you edit a Cumulus Linux install image directly and provide a ZTP script within the “CL_INSTALLER_ZTP_CONTENT” variable, the ZTP shell script fails to run. | 4.2.0 |
2552505 |
Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. |
3.7.11-3.7.13, 4.0.0-4.2.0 |
2552452 |
When a bond name is too long, ifupdown2 creates the bond devices in the kernel with truncated names. | 4.2.0 |
2552297 |
The following vulnerability has been announced in net-snmp: CVE-2020-15862: A privilege escalation involving the NET-SNMP-EXTEND-MIB support (which is enabled by default at compile-time). The fixed versions disable NET-SNMP-EXTEND-MIB support. Vulnerable: <= 5.8.0-cl3u11, <= 5.8.0-cl4u4 Fixed: 5.8.0-cl3.7.14u3, 5.8.0-cl4.2.1u1 |
3.7.13, 4.0.0-4.2.0 |
2552283 |
Several vulnerabilities have been discovered in the GRUB2 bootloader. CVE-2020-10713: A flaw in the grub.cfg parsing code was found allowing to break UEFI Secure Boot and load arbitrary code. Details can be found at https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ CVE-2020-14308: It was discovered that grub_malloc does not validate the allocation size allowing for arithmetic overflow and subsequently a heap-based buffer overflow. CVE-2020-14309: An integer overflow in grub_squash_read_symlink may lead to a heap-based buffer overflow. CVE-2020-14310: An integer overflow in read_section_from_string may lead to a heap-based buffer overflow. CVE-2020-14311: An integer overflow in grub_ext2_read_link may lead to a heap-based buffer overflow. CVE-2020-15706: script: Avoid a use-after-free when redefining a function during execution. CVE-2020-15707: An integer overflow flaw was found in the initrd size handling. Vulnerable: <= 2.02+dfsg1-20, <= 2.02+dfsg1-cl4u1 Fixed: 2.02+dfsg1-20+deb10u2, 2.02+dfsg1-cl4.2.1u1 |
4.0.0-4.2.0 |
2552204 |
If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer’s SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.To work around this issue, ifdown/ifup the SVI when a MAC address changes. |
3.7.12-3.7.13, 4.0.0-4.2.0 |
2552203 |
The following vulnerability has been announced in QEMU: CVE-2020-8608: In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. Vulnerable: <= 3.1+dfsg-8+deb10u6 Fixed: 3.1+dfsg-8+deb10u7 |
4.0.0-4.2.0 |
2551911 |
ifupdown2 does not account for link status or link down configuration when running dhclient . For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. |
3.7.12-4.2.0 |
2551896 |
Several denial of service vulnerabilities have been announced in the qemu packages:CVE-2020-10756 CVE-2020-13361 CVE-2020-13362 CVE-2020-13754 CVE-2020-13659 Vulnerable: <= 1:3.1+dfsg-8+deb10u5 Fixed: 1:3.1+dfsg-8+deb10u6 |
4.0.0-4.2.0 |
2551887 |
On Mellanox switches, when you change the breakout configuration from 4x to 2x or from 2x to 4x, LLDP discovery fails. To resolve this issue, restart the LLDP service. |
4.2.0 |
2551871 |
If you create a route map with the set large-comm-list command and the large community list referenced does not exist, bgpd might crash. You will also see an entry in the /var/log/frr/frr.log file. |
4.2.0 |
2551853 |
The following vulnerabilities have been announced in the nss packages, including libnss3 , which may be used by other programs:CVE-2019-17006: Check length of inputs for cryptographic primitives CVE-2019-17023: After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. CVE-2020-12399: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. CVE-2020-12402: During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. Vulnerable: <= 3.42.1-1+deb10u2 Fixed: 3.42.1-1+deb10u3 |
4.0.0-4.2.0 |
2551730 |
When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd ) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor . |
3.7.12-3.7.13, 4.0.0-4.2.0 |
2551727 |
In OVSDB high availability mode, if you create, then delete a binding, the FDB entry is not replaced and you see an error. | 3.7.12-3.7.13, 4.0.0-4.2.0 |
2551713 |
There is a change to the default OVSDB bootstrapping process, where the script created now defaults to VLAN-aware bridge mode. If you want to use traditional bride mode, you need to force it by editing the ovs-vtep-ctl script generated by the bootstrap process. |
3.7.12-3.7.13, 4.0.0-4.2.0 |
2551692 |
A host migrated to an 802.1X MAB port within the same broadcast domain fails to have the correct FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain. To work around this issue, manually delete the dynamic FDB entry that is associated with the uplink trunk port. |
3.7.12-3.7.13, 4.1.1-4.2.0 |
2551674 |
When you restart clagd , the edge port setting on the peer link changes. |
3.7.2-3.7.13, 4.0.0-4.2.0 |
2551665 |
On the QuantaMesh T1048-LY4 switch, pluggables inserted into SFP+ ports are not detected. To workaround this issue, downgrade to Cumulus Linux 3.7 ESR. |
4.0.0-4.2.0 |
2551650 |
The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port. |
3.7.12-3.7.13, 4.0.0-4.2.0 |
2551507 |
After adding an interface to a VRF, the routing information field (RIF) is missing. | 4.2.0 |
2551290 |
Non SFF-8634/SFF-8636 compliant 40G AOC modules might not link up when inserted into the Mellanox SN3700 switch. The EEPROM bytes for RX amplitude control (page 03h, bytes #236-239) are defined as volatile in the SFF specification (SFF-8634/8636); after the module power is off, the EEPROM values should return to their defaults. However, these bytes are observed to be non-volatile in the modules listed below. - Mellanox MFP4R12CB-0XX (Luxtera) - AVAGO AFBR-79Q4PACXXZ https://www.finisar.com/sites/default/files/downloads/fcbg410qb1cxx_quadwire_40gbs_parallel_active_optical_cable_product_spec_revb7.pdf https://www.mouser.com/ProductDetail/Finisar/FCBN410QB1C03?qs=D%252B6gCNt%2Fg2BZq7qPdKrYVA%3D%3D Because the modules listed above do not return to their default values correctly when they are unplugged and re-inserted, a cable might become unusable until it is reprogramed. |
4.1.1-4.2.0 |
2551162 |
switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. |
3.7.11-3.7.12, 4.0.0-4.2.0 |
2550942 |
NCLU tab completion for net show displays the text add help text instead of system Information for the system option. |
3.7.11-4.2.0 |
2550872 |
In an MLAG configuration with static VXLAN, static tunnels become unreachable. | 3.7.13, 4.1.1-4.2.0 |
2550605 |
A VRRP role change over the EVPN network causes excessive BGP updates and connectivity issues to VIP for about one minute. | 4.1.1-4.2.0 |
2550478 |
VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 |
2550342 |
On Mellanox switches, when EVPN multihoming is configured, MAC moves are not detected. | 4.2.0 |
2550048 |
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2020-10690 CVE-2020-12770 CVE-2020-12826 CVE-2019-15794 CVE-2020-10711 CVE-2020-13974 CVE-2020-10732 CVE-2020-10757 CVE-2020-15780 CVE-2019-20908 CVE-2020-16166 CVE-2018-16884 CVE-2020-14356 CVE-2019-18885 CVE-2019-12379 For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 4.2.0 |
2549793 |
The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl :
|
3.7.11-3.7.13, 4.1.1-4.2.0 |
2548595 |
The net show config and net show time ntp server commands do not show NTP server configuration. |
4.1.0-4.2.0 |
2546985 |
On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.2.0 |
4.2.0 Release Notes
Open Issues in 4.2.0
Issue ID | Description | Affects | Fixed |
---|---|---|---|
3330705 |
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. |
3.7.0-5.3.1 | 5.4.0 |
3330654 |
When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus ), the user name mapping might be incorrect; for example, the user name shown in the default prompt might be incorrect. When you use NVUE, this occurs when the priority for the authentication order of local is higher than tacacs . |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.4.0 | |
3327477 |
Using su to change to a user specified through TACACS+ results in becoming the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. When sudo asks for the password of the named user, it is unlikely to match that of the local tacacs0 thru tacacs15 user. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.4.0 | |
3216922 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). |
3.7.0-5.2.1 | 5.3.0-5.4.0 |
3216759 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-4.4.4 | 4.4.5 |
3209699 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.4.0 |
3135801 |
Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. |
4.0.0-4.3.0, 4.4.0-4.4.5 | 3.7.16, 4.3.1 |
3123556 |
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. |
3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.4.0 |
3119615 |
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic. | 3.7.15-5.1.0 | 5.2.0-5.4.0 |
3093863 |
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. |
3.7.16-4.4.3 | 4.4.4-4.4.5, 5.2.0-5.4.0 |
3077737 |
The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errorsTo work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services. |
3.7.15-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5 |
3066704 |
The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of timeTo work around this issue, restart the hostapd service with the systemctl restart hostapd command. |
3.7.15-4.3.0 | 4.3.1-4.4.5 |
3021693 |
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN. |
3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.4.0 |
3007564 |
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. |
3.7.15-5.0.1 | 5.1.0-5.4.0, 5.2.0-5.4.0 |
2991514 |
Cumulus Linux can take a long time (100 seconds) to sync a large number of VNIs on a bridge. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
2961008 |
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. |
3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.4.0 |
2959067 |
ECMP produces errors indicating No More Resources and switchd crashes even when ECMP utilization is low. |
3.7.14.2-4.2.1 | 4.3.0-4.4.5 |
2951110 |
The net show time ntp servers command does not show any output with management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.4.0 | |
2949512 |
On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
2940063 |
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | 3.7.16, 4.3.1-4.4.5, 5.0.0-5.4.0 |
2906967 |
You can’t have more than one VLAN subinterface on the same port on the same bridge. | 4.1.1-4.3.0 | 4.3.1-4.4.5 |
2899422 |
Broadcom switches return a table full error when creating VXLAN gports, which causes {switchd to crash. | 3.7.15-4.3.0 | 4.3.1-4.4.5 |
2896733 |
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send. To work around this issue, run the vtysh clear ip mroute command. |
3.7.15-4.3.0, 5.0.0-5.0.1 | 4.3.1-4.4.5, 5.1.0-5.4.0 |
2893895 |
CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 |
4.0.0-4.3.1 | 4.4.0-4.4.5, 5.1.0-5.4.0 |
2891255 |
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 |
4.0.0-4.4.1, 5.0.0-5.4.0 | 4.4.2-4.4.5 |
2890681 |
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 |
4.0.0-4.4.1, 5.0.0-5.4.0 | 4.4.2-4.4.5 |
2867058 |
On the Dell Z9264F-ON switch, interfaces that use the QSFP28 module remain down after you restart switchd . |
3.7.15-4.3.0 | 4.3.1-4.4.5 |
2866084 |
When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del dev command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:$ cat /etc/network/ifupdown2/policy.d/vxlan.jsonReboot the affected switches. |
3.7.12-4.3.0 | 4.3.1-4.4.5 |
2859177 |
The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): |
3.7.15-4.4.1 | 4.4.2-4.4.5 |
2840819 |
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts). | 4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5, 5.0.0-5.4.0 |
2821869 |
The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): |
3.7.15-4.4.5 | 5.0.0-5.4.0 |
2792750 |
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. |
3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1 |
2782033 |
The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function More details at https://www.openssl.org/news/secadv/20210824.txt Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2755615 |
When route_preferred_over_neigh is set to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. |
4.0.0-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.4.0 |
2754691 |
CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking) Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2754685 |
CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2754679 |
CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code Vulnerable: <= 5.50-1.2~deb10u1Fixed: 5.50-1.2~deb10u2 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2747605 |
CVE-2021-3246: a buffer overflow in libsndfile, a libraryfor reading/writing audio files, which could result in denial of serviceor potentially the execution of arbitrary code when processing amalformed audio file Vulnerable: 1.0.28-6Fixed: 1.0.28-6+deb10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2743186 |
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. |
3.7.15-5.1.0 | 5.2.0-5.4.0 |
2739690 |
CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure Vulnerable: 1.24.1-1Fixed: 1.24.1-1+deb 10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2739639 |
CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST Vulnerable: <= 1.17-3+deb10u1Fixed: 1.17-3+deb10u2 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2734122 |
CVE-2021-33910: The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memorycorruption, allowing to crash systemd and hence the entire operating system. Details can be found at https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt Vulnerable: <= 241-7~deb10u7Fixed: 241-7~deb10u8 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2734107 |
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.4.1 | 4.4.2-4.4.5 |
2730225 |
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5 |
2728207 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728206 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728205 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
2728138 |
CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets. Vulnerable: <= 2.4.47+dfsg-3+deb10u4 Fixed: 2.4.47+dfsg-3+deb10u5 |
4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2728134 |
CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.47+dfsg-3+deb10u5 Fixed: 2.4.47+dfsg-3+deb10u6 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2716822 |
The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. |
3.7.15-4.3.0 | 4.3.1-4.4.5 |
2713888 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-5.0.1 | 5.1.0-5.4.0 |
2699399 |
When you run the vtysh show ip bgp vrf command, the bgpd service crashes if you use vrf all . For example:spine01# show ip bgp vrf all statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!To workaround this issue, run the command against each VRF independently. |
3.7.15, 4.0.0-4.3.0 | 3.7.16, 4.3.1-4.4.5 |
2695526 |
CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2687332 |
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usageTo workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:address-family ipv4 unicastAfter: ip route 10.10.0.0/16 Null0This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2687159 |
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2685994 |
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to applyTo work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 |
4.0.0-5.0.1 | 5.1.0-5.4.0 |
2682971 |
CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2682780 |
Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. |
4.2.0-4.3.1 | 4.4.0-4.4.5 |
2679950 |
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 |
3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5 |
2677049 |
CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687: Several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, could result in denial of service, cache poisoning or the execution of arbitrary code. | 4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2671667 |
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2669858 |
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2666838 |
CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2663479 |
CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2656527 |
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2654715 |
The cl-acltool takes a significant amount of time to run, which can slow down automation scripts. |
4.2.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2652003 |
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface command, then add back the 802.1x configuration. |
3.7.10-4.3.0 | 4.3.1-4.4.5 |
2648658 |
If you try to use more than one percent of max-ecmp-nexthops , you get an error indicating a failure. |
3.7.15-4.3.1 | 4.4.0-4.4.5 |
2648587 |
The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
2644053 |
The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2633062 |
The following vulnerability affects the libgstreamer-plugins-base1.0-0 package. There is no CVE yet; the Debian advisory number is DSA-4903-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: 1.14.4-2Fixed: 1.14.4-2+deb10u1 |
4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2617000 |
CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616998 |
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616987 |
CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616976 |
Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION) CVE-2020-8286: failure to verify that OSCP response matches intended certificate CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616967 |
CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616964 |
CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2616954 |
CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2614016 |
The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.1 | 4.4.0-4.4.5 |
2578872 |
CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2578870 |
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2578845 |
The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. |
3.7.11-3.7.14, 4.1.1-4.3.0 | 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
2574368 |
When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedlyTo work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr . |
4.1.1-4.4.5 | |
2566880 |
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5 |
2564534 |
Several vulnerabilities have been discovered in the GRUB2 bootloader CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2556782 |
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 |
3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5 |
2556777 |
CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence. Vulnerable: 4.6.2-3 Fixed: 4.6.2-3+deb10u1 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2556775 |
DSA-4859-1 (no CVE): zstd, a compression utility, was vulnerable to a race condition: it temporarily exposed, during a very short timeframe, a world-readable version of its input even if the original file had restrictive permissions. Vulnerable: <= 1.3.8+dfsg-3+deb10u1 Fixed: 1.3.8+dfsg-3+deb10u2 |
4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2556764 |
In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 |
2556730 |
CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code. Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2 Fixed: 9.11.5.P4+dfsg-5.1+deb10u3 |
4.0.0-4.3.1 | 4.4.0-4.4.5 |
2556691 |
The following vulnerabilities have been announced in the openssl packages: CVE-2021-23840: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. CVE-2019-1551: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Vulnerable: <= 1.1.1d-0+deb10u4 Fixed: 1.1.1d-0+deb10u5 |
4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2556569 |
DSA-4850-1 (no CVE): libzstd adds read permissions to files while being compressed or uncompressed. Vulnerable: 1.3.8+dfsg-3 Fixed: 1.3.8+dfsg-3+deb10u1 |
4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2556500 |
Cumulus Linux does not support bond members at 200G or greater. | 4.0.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2556279 |
CVE-2021-3156: A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. Vulnerable: <= 1.8.27-1+deb10u2 Fixed: 1.8.27-1+deb10u3 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2556217 |
The following vulnerability affects lldpd: CVE-2020-27827: A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine. Fixed: 1.0.4-0-cl4.3.0u2 |
3.7.14-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2556081 |
You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | |
2556037 |
After you add an interface to the bridge, an OSPF session flap might occur |
3.7.9-4.2.0 | 4.2.1-4.4.5 |
2556010 |
On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. |
3.7.14, 4.0.0-4.4.5 | 3.7.14.2-3.7.16 |
2555761 |
The following vulnerabilities were announced in the p11-kit (libp11-kit0) packages: CVE-2020-29361: Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc. CVE-2020-29362: A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation. CVE-2020-29363: A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value. Vulnerable: 0.23.15-2 Fixed: 0.23.15-2_deb10u1 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2555531 |
QinQ (802.1Q) packets routed to a layer 3 subinterface are still double tagged with the VLAN of the subinterface and the original inner VLAN when they leave the subinterface. | 4.2.0-4.4.5 | 3.7.15-3.7.16 |
2555528 |
In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer. To work around this issue, increase the burst value of the ARP policers to 200 or higher. |
3.7.14-4.2.1 | 4.3.0-4.4.5 |
2555484 |
ospf6d restarts when you run the NCLU net show ospf6 databse command or the vtysh show ipv6 ospf6 database command. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2555400 |
On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2555373 |
CVE-2020-27350: Missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files. CVE-2020-27351: Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service. Vulnerable: apt <= 1.8.2.1, python-apt <= 1.8.4.1 Fixed: apt 1.8.2.2, python-apt 1.8.4.3 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2555339 |
The following vulnerability has been announced in OpenSSL: CVE-2020-1971: A flaw in the GENERAL_NAME_cmp() function could cause a NULL dereference when both GENERAL_NAMEs contain an EDIPARTYNAME, resulting in denial of service. More information can be found at https://www.openssl.org/news/secadv/20201208.txt . Vulnerable: <= 1.1.1d-0+deb10u3 Fixed: 1.1.1d-0+deb10u4 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2554990 |
When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes. To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. |
3.7.13-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2554982 |
CVE-2020-28196: MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit. Vulnerable: 1.17-3 Fixed: 1.17-3+deb10u1 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2554834 |
CVE-2020-25709, CVE-2020-25710: Two vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.47+dfsg-3+deb10u3 Fixed: 2.4.47+dfsg-3+deb10u4 |
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2554798 |
On the Mellanox SN3700C switch, PIM multicast packets are duplicated at the egress VTEP. | 4.2.0-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5 |
2554785 |
After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command4. Reboot the switch. |
3.7.11-4.2.1 | 4.3.0-4.4.5 |
2554720 |
If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. |
3.7.12-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2554707 |
On the Dell S5048F-ON switch, optical transceivers do not come up and the modules are in reset mode. | 4.0.0-4.2.1 | 4.3.0-4.4.5 |
2554588 |
If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is runningTo work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:DHCPD_PID="-pf {0}”to: DHCPD_PID="-pf {1}" |
3.7.13-4.2.1 | 4.3.0-4.4.5 |
2554582 |
On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | |
2554533 |
On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | |
2554503 |
If the peer link does not trunk all VLANs on an MLAG bond, all FDB entries learned through that MLAG bond are not redirected over the peer link when the MLAG bond goes down. As a result, traffic destined to the MAC addresses that arrives on the MLAG peer with the downed MLAG port is dropped. To work around this issue, ensure that the peer link trunks all VLANs that exist on all MLAG bonds. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2554369 |
Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2554299 |
In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.1 | 4.4.0-4.4.5 |
2554246 |
When you back up and restore a configuration using the conf-backup utility, the switch might hang when rebooted. | 4.1.1-4.2.1 | 4.3.0-4.4.5 |
2554218 |
MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | |
2553952 |
On Mellanox Spectrum based switches running 4.1.0 or higher, if FORWARD chain ACLs are configured on the system, a switch port breakout action applied with a reload of the switchd service may cause switchd to crash. | 4.2.0-4.4.5 | |
2553887 |
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2553731 |
A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI. | 3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2553677 |
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. |
3.7.13-3.7.16, 4.0.0-4.4.5 | |
2553586 |
Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn’t exist. To work around this issue, disable IGMP snooping on the switch. |
3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2553568 |
After a MAC address moves from one remote VTEP to another, the MAC address continues to point to the old VTEP IP address in hardware. | 4.1.1-4.2.1 | 4.3.0-4.4.5 |
2553529 |
In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the sudo systemctl restart frr.service command. |
3.7.10-3.7.13, 4.1.1-4.4.5 | 3.7.14-3.7.16 |
2553468 |
Digital Optical Monitoring (DOM) Data is displayed incorrectly on SFP fiber modules inserted in the Fiberstore N8500-48B6C, Celestica Questone, and Celestica RedstoneV switches. | 4.2.0-4.2.1 | 4.3.0-4.4.5 |
2553349 |
When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number. To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2553301 |
Certain IPv6 routes may be present in the kernel but missing in hardware, and you may also see the following log messages in /var/log/switchd.log:sync_route.c 5255 WARN 3 routes reverted to non-ECMP due to NH table capacityeven though cl-resources-query does not reflect that the ECMP NH table is full. The reason is that a temporary/artificial ECMP container exhaustion occurs due to a churn in routes and how switchd cleans up the routes, nexthops and RIFs. While performing this route cleanup operation, if switchd tries to delete a RIF and is unable to (since there are ECMP next-hops pointing to it which are yet to be deleted) it puts the RIF in a pending list. So, as a result, all of the ECMP next-hops pointing to the RIF also would be pending deletion. As a result, RIFs and dependent ECMP next-hops linger on the pending list until the next RIF sync is done, at which point the next-hops are freed up and the routes get installed as expected. | 4.2.0 | 4.2.1-4.4.5 |
2553278 |
Leaked routes are sometimes missing from the destination VRF after a reboot. | 4.2.0-4.2.1 | 4.3.0-4.4.5 |
2553237 |
The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. |
4.2.0-4.4.5 | |
2553219 |
You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
2553118 |
The Dell 100G-LR4 (Innolight) transceiver cannot link up due to a power budget exceeded error on the Mellanox SN4600C switch. | 4.2.0-4.2.1 | 4.3.0-4.4.5 |
2553116 |
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2553015 |
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. |
3.7.10-3.7.16, 4.2.0-4.4.5 | |
2552939 |
RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5 |
2552869 |
On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.To work around this issue, use the ethtool -m command. |
3.7.13-4.2.1 | 4.3.0-4.4.5 |
2552858 |
The following vulnerabilities have been announced in the BIND9 server, which is available for optional installation: CVE-2020-8619: an asterisk character in an empty non-terminal can cause an assertion failure, resulting in denial of service. CVE-2020-8622: a truncated TSIG response can lead to an assertion failure, resulting in denial of service. CVE-2020-8623: a flaw in the native PKCS#11 code can lead to a remotely triggerable assertion failure, resulting in denial of service. CVE-2020-8624: update-policy rules of type “subdomain” are enforced incorrectly, allowing updates to all parts of the zone along with the intended subdomain. Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u1 Fixed: 9.11.5.P4+dfsg-5.1+deb10u2 |
4.0.0-4.2.0 | 4.2.1-4.4.5 |
2552855 |
FDB entries with type static are installed in hardware as dynamic entries with no aging instead of truly static, which might result in the entries being occasionally flushed from hardware and the kernel. For example, this might happen when a port is in the STP Blocking state during a MAC sync. | 4.2.0-4.4.5 | |
2552853 |
Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2552817 |
CVE-2020-11724: An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API. Vulnerable: <= 1.14.2-2+deb10u2 Fixed: 1.14.2-2+deb10u3 |
4.0.0-4.2.0 | 4.2.1-4.4.5 |
2552744 |
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks CVE-2020-14351 CVE-2020-29660 CVE-2020-29661 CVE-2020-25704 CVE-2020-28974 CVE-2020-25705 CVE-2020-28915 CVE-2020-25211 CVE-2019-19338 CVE-2020-0305 CVE-2019-18885 CVE-2019-19072 CVE-2020-12652 CVE-2020-24394 CVE-2020-25641 CVE-2019-3874 CVE-2019-5489. (CVE-2020-27825 CVE-2020-29369 CVE-2020-29372 CVE-2020-29534 are not applicable to Cumulus Linux)For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2552742 |
On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.To work around this issue, restart switchd . |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2552710 |
The MLAG bonds on a secondary switch do not change to a unique MAC address on the peerlink. As a result, a backup double failure can occur where both peers go down. | 4.2.0-4.2.1 | 4.3.0-4.4.5 |
2552704 |
In a traditional bridge configuration with ip-forward off , neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. |
3.7.10-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2552691 |
On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface. To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. |
4.2.0-4.4.5 | |
2552687 |
When you boot Cumulus VX 4.2 for the first time, ZTP does not execute because it thinks that the /etc/shadow file has been modified. This is due to the default password change implemented in CL 4.2.To work around this issue, boot the switch, manually change the password, then run sudo ztp -R to reset the ZTP script. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2552646 |
When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding. To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. |
3.7.10-3.7.13, 4.2.0-4.4.5 | 3.7.14-3.7.16 |
2552610 |
The following vulnerability has been announced: CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c . |
3.7.13-4.2.0 | 4.2.1-4.4.5 |
2552607 |
The following vulnerability has been announced: CVE-2019-20892: net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. Fixed: 5.8.0-cl4.2.1u1, 5.8.0-cl3.7.14u1 |
3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2552555 |
The following vulnerability has been announced: CVE-2019-20795: iproute2 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. Vulnerable: <= 4.19.0-cl4u3 |
4.0.0-4.2.0 | 4.2.1-4.4.5 |
2552527 |
Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2552524 |
If you edit a Cumulus Linux install image directly and provide a ZTP script within the “CL_INSTALLER_ZTP_CONTENT” variable, the ZTP shell script fails to run. | 4.2.0 | 4.2.1-4.4.5 |
2552505 |
Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. |
3.7.11-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2552453 |
On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file. |
4.2.0-4.4.5 | |
2552452 |
When a bond name is too long, ifupdown2 creates the bond devices in the kernel with truncated names. | 4.2.0 | 4.2.1-4.4.5 |
2552309 |
The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:
These messages are for internal validation purposes only and can be safely ignored. |
4.2.0-4.4.5 | |
2552297 |
The following vulnerability has been announced in net-snmp: CVE-2020-15862: A privilege escalation involving the NET-SNMP-EXTEND-MIB support (which is enabled by default at compile-time). The fixed versions disable NET-SNMP-EXTEND-MIB support. Vulnerable: <= 5.8.0-cl3u11, <= 5.8.0-cl4u4 Fixed: 5.8.0-cl3.7.14u3, 5.8.0-cl4.2.1u1 |
3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2552294 |
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2552283 |
Several vulnerabilities have been discovered in the GRUB2 bootloader. CVE-2020-10713: A flaw in the grub.cfg parsing code was found allowing to break UEFI Secure Boot and load arbitrary code. Details can be found at https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ CVE-2020-14308: It was discovered that grub_malloc does not validate the allocation size allowing for arithmetic overflow and subsequently a heap-based buffer overflow. CVE-2020-14309: An integer overflow in grub_squash_read_symlink may lead to a heap-based buffer overflow. CVE-2020-14310: An integer overflow in read_section_from_string may lead to a heap-based buffer overflow. CVE-2020-14311: An integer overflow in grub_ext2_read_link may lead to a heap-based buffer overflow. CVE-2020-15706: script: Avoid a use-after-free when redefining a function during execution. CVE-2020-15707: An integer overflow flaw was found in the initrd size handling. Vulnerable: <= 2.02+dfsg1-20, <= 2.02+dfsg1-cl4u1 Fixed: 2.02+dfsg1-20+deb10u2, 2.02+dfsg1-cl4.2.1u1 |
4.0.0-4.2.0 | 4.2.1-4.4.5 |
2552266 |
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar , zip , or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp , which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2552204 |
If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer’s SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.To work around this issue, ifdown/ifup the SVI when a MAC address changes. |
3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2552203 |
The following vulnerability has been announced in QEMU: CVE-2020-8608: In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. Vulnerable: <= 3.1+dfsg-8+deb10u6 Fixed: 3.1+dfsg-8+deb10u7 |
4.0.0-4.2.0 | 4.2.1-4.4.5 |
2551911 |
ifupdown2 does not account for link status or link down configuration when running dhclient . For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. |
3.7.12-3.7.16, 4.2.0-4.4.5 | |
2551896 |
Several denial of service vulnerabilities have been announced in the qemu packages:CVE-2020-10756 CVE-2020-13361 CVE-2020-13362 CVE-2020-13754 CVE-2020-13659 Vulnerable: <= 1:3.1+dfsg-8+deb10u5 Fixed: 1:3.1+dfsg-8+deb10u6 |
4.0.0-4.2.0 | 4.2.1-4.4.5 |
2551887 |
On Mellanox switches, when you change the breakout configuration from 4x to 2x or from 2x to 4x, LLDP discovery fails. To resolve this issue, restart the LLDP service. |
4.2.0 | 4.2.1-4.4.5 |
2551873 |
If you have an existing community list of any type, redefining the same sequence number results in the entire community list being deleted. To work around this issue, delete the community list sequence before trying to adjust it. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2551871 |
If you create a route map with the set large-comm-list command and the large community list referenced does not exist, bgpd might crash. You will also see an entry in the /var/log/frr/frr.log file. |
4.2.0 | 4.2.1-4.4.5 |
2551853 |
The following vulnerabilities have been announced in the nss packages, including libnss3 , which may be used by other programs:CVE-2019-17006: Check length of inputs for cryptographic primitives CVE-2019-17023: After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. CVE-2020-12399: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. CVE-2020-12402: During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. Vulnerable: <= 3.42.1-1+deb10u2 Fixed: 3.42.1-1+deb10u3 |
4.0.0-4.2.0 | 4.2.1-4.4.5 |
2551747 |
In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings. |
3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2551730 |
When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd ) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor . |
3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2551727 |
In OVSDB high availability mode, if you create, then delete a binding, the FDB entry is not replaced and you see an error. | 3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2551713 |
There is a change to the default OVSDB bootstrapping process, where the script created now defaults to VLAN-aware bridge mode. If you want to use traditional bride mode, you need to force it by editing the ovs-vtep-ctl script generated by the bootstrap process. |
3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2551692 |
A host migrated to an 802.1X MAB port within the same broadcast domain fails to have the correct FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain. To work around this issue, manually delete the dynamic FDB entry that is associated with the uplink trunk port. |
3.7.12-3.7.13, 4.1.1-4.4.5 | 3.7.14-3.7.16 |
2551687 |
When you run cl-ecmpcalc to determine a hardware hash result, tests might fail. |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2551674 |
When you restart clagd , the edge port setting on the peer link changes. |
3.7.2-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2551666 |
If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:
|
4.1.0-4.4.5 | |
2551665 |
On the QuantaMesh T1048-LY4 switch, pluggables inserted into SFP+ ports are not detected. To workaround this issue, downgrade to Cumulus Linux 3.7 ESR. |
4.0.0-4.2.0 | 4.2.1-4.4.5 |
2551650 |
The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port. |
3.7.12-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2551578 |
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload /ifup commands fail with an invalid table id or unable to get vrf table id error. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2551565 |
If you toggle VRRP priority values between VRRP routers, then restart switchd , a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. |
3.7.13-3.7.16, 4.2.0-4.4.5 | |
2551507 |
After adding an interface to a VRF, the routing information field (RIF) is missing. | 4.2.0 | 4.2.1-4.4.5 |
2551422 |
On Mellanox switches with the Spectrum-2 switch, the lpm-balanced forwarding profile does not work. | 4.1.1-4.2.1 | 4.3.0-4.4.5 |
2551335 |
When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. |
4.0.0-4.4.5 | |
2551305 |
The net show configuration command provides the wrong net add command for ACL under the VLAN interface. |
3.7.12-3.7.16, 4.1.0-4.4.5 | |
2551290 |
Non SFF-8634/SFF-8636 compliant 40G AOC modules might not link up when inserted into the Mellanox SN3700 switch. The EEPROM bytes for RX amplitude control (page 03h, bytes #236-239) are defined as volatile in the SFF specification (SFF-8634/8636); after the module power is off, the EEPROM values should return to their defaults. However, these bytes are observed to be non-volatile in the modules listed below. - Mellanox MFP4R12CB-0XX (Luxtera) - AVAGO AFBR-79Q4PACXXZ https://www.finisar.com/sites/default/files/downloads/fcbg410qb1cxx_quadwire_40gbs_parallel_active_optical_cable_product_spec_revb7.pdf https://www.mouser.com/ProductDetail/Finisar/FCBN410QB1C03?qs=D%252B6gCNt%2Fg2BZq7qPdKrYVA%3D%3D Because the modules listed above do not return to their default values correctly when they are unplugged and re-inserted, a cable might become unusable until it is reprogramed. |
4.1.1-4.2.0 | 4.2.1-4.4.5 |
2551273 |
On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | |
2551221 |
When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport’s IP address don’t reach switchport. To capture packets directed towards switcport’s IP, disable span-to-cpu and use tcpdump on swichport instead. | 4.2.0-4.4.5 | |
2551187 |
dot1qVlanIndex in the dot1qVlanStaticTable of the SNMP Q-BRIDGE-MIB does not use VLAN ID and does not comply with RFC 4363. | 4.1.1-4.2.1 | 4.3.0-4.4.5 |
2551162 |
switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. |
3.7.11-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5 |
2551124 |
When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere. This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware. To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:
If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:
|
4.0.0-4.2.1 | 4.3.0-4.4.5 |
2551111 |
If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state. zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. |
4.0.0-4.4.5 | |
2550974 |
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
2550973 |
After you enable ROCE with the net add interface command, you cannot verify the command because it is not shown in the net show config command output. |
4.1.1-4.2.1 | 4.3.0-4.4.5 |
2550942 |
NCLU tab completion for net show displays the text add help text instead of system Information for the system option. |
3.7.11-4.2.0 | 4.2.1-4.4.5 |
2550906 |
After you delete a bond, the deleted bond members have the deleted bond MAC address instead of their original MAC address, which might result in traffic being discarded. To work around this issue, perform a full switch restart. |
4.1.1-4.2.1 | 4.3.0-4.4.5 |
2550872 |
In an MLAG configuration with static VXLAN, static tunnels become unreachable. | 3.7.13, 4.1.1-4.4.5 | 3.7.14-3.7.16 |
2550796 |
On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero. To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2550793 |
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550713 |
Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration. |
4.1.1-4.4.5 | |
2550642 |
ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches | 4.2.0-4.4.5 | |
2550605 |
A VRRP role change over the EVPN network causes excessive BGP updates and connectivity issues to VIP for about one minute. | 4.1.1-4.4.5 | 3.7.14-3.7.16 |
2550478 |
VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | 4.2.1-4.4.5 |
2550444 |
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550443 |
The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550374 |
CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP. This issue is resolved in Cumulus Linux 3.7.14. |
3.7.9-3.7.13, 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2550348 |
Due to a known limitation, DHCPv6 snooping is not supported on Mellanox platforms. Please refer the Mellanox support case |
4.2.0-4.2.1 | 4.3.0-4.4.5 |
2550342 |
On Mellanox switches, when EVPN multihoming is configured, MAC moves are not detected. | 4.2.0 | 4.2.1-4.4.5 |
2550276 |
In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2550243 |
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service . For example:
|
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550056 |
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2550048 |
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2020-10690 CVE-2020-12770 CVE-2020-12826 CVE-2019-15794 CVE-2020-10711 CVE-2020-13974 CVE-2020-10732 CVE-2020-10757 CVE-2020-15780 CVE-2019-20908 CVE-2020-16166 CVE-2018-16884 CVE-2020-14356 CVE-2019-18885 CVE-2019-12379 For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 4.2.0 | 4.2.1-4.4.5 |
2549925 |
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549872 |
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. |
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549838 |
In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel. If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel. To work around this issue, delete, then re-add the missing VNI. For example:
If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2549793 |
The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl :
|
3.7.11-3.7.13, 4.1.1-4.4.5 | 3.7.14-3.7.16 |
2549784 |
On Mellanox switches, when the networking service and switchd starts up, a rare condition might occur where switchd crashes and the following log message is generated:
|
4.1.0-4.2.1 | 4.3.0-4.4.5 |
2549782 |
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549731 |
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549392 |
When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file. To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. |
4.1.0-4.4.5 | |
2549371 |
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. |
3.7.11-4.3.1 | 4.4.0-4.4.5 |
2549225 |
You might see the following gport error messages in switchd.log :
These messages are harmless and can be ignored. |
3.7.12-3.7.14.2, 4.0.0-4.4.5 | 3.7.15-3.7.16 |
2548930 |
On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5 |
2548924 |
On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | |
2548672 |
When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. |
3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
2548657 |
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548595 |
The net show config and net show time ntp server commands do not show NTP server configuration. |
4.1.0-4.2.0 | 4.2.1-4.4.5 |
2548579 |
The following security vulnerability has been announced: CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. |
3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16 |
2548485 |
If you configure the aggregate-address summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:router bgp 1If you add network 50.0.0.1/32 , you see the following (expected) BGP table entries:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,To work around this issue, remove, then re-add the component prefix routes. |
3.7.12-4.2.1 | 4.3.0-4.4.5 |
2548408 |
net show configuration commands does not show the RoCE net add interface configuration. |
4.1.0-4.2.1 | 4.3.0-4.4.5 |
2548315 |
The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid . |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548310 |
When the system boots, we might see " cumulus systemd-udevd[7566]: Process ‘/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25’ failed with exit code 1" errors. These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later; |
4.1.0-4.4.5 | |
2548260 |
The net add routing route-map command does not add the set statement into the /etc/frr/frr.conf file. |
4.0.0-4.4.5 | |
2548243 |
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
2548117 |
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548062 |
When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches). | 4.1.0-4.4.5 | |
2548044 |
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
2547903 |
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1 |
4.0.0-4.4.5 | |
2547890 |
QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | |
2547782 |
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547706 |
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd . To work around this issue, reboot the switch. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547405 |
When you restart the hsflowd service, you see a systemd warning message similar to the following:
|
4.0.0-4.4.5 | |
2547120 |
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547068 |
Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX . For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off” , change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0” 2. Run sudo update-grub 3. Reboot the system with sudo reboot To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library) The first field above should read ii . If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3 2. Disable C-states by running the command ./cpupower idle-set -d 2 C-states are disabled by default in Cumulus Linux 4.3.0 and later. |
3.7.9-4.2.1 | 4.3.0-4.4.5 |
2546991 |
The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546985 |
On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5 |
2546895 |
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546874 |
On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. |
4.0.0-4.4.5 | |
2546255 |
On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | |
2546225 |
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer , which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546131 |
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2545837 |
If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server command, the /etc/ntp.conf file is misconfigured.To work around this issue, run the net add time ntp server command before you run the net add time ntp source command. |
3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2545520 |
The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2545239 |
On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.1 | 4.4.0-4.4.5 |
2545233 |
On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | |
2545125 |
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544978 |
If you delete an undefined bond, then add a bond slave, the net commit command fails. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544968 |
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544957 |
NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | |
2544953 |
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit , the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. |
3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544880 |
When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. |
4.0.0-4.4.5 | |
2544723 |
Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2544463 |
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported .To work around this issue, do not use auto-negotiation and set the local port speed to 10G. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544456 |
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544311 |
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544155 |
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544113 |
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2543937 |
An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2 . |
3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543900 |
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543841 |
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. |
3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543816 |
On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. |
3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2543781 |
NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543724 |
If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543647 |
ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
|
3.7.6-4.2.1 | 4.3.0-4.4.5 |
2543646 |
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
2543401 |
On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. |
4.0.0-4.4.5 | |
2543211 |
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2543164 |
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2543096 |
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542945 |
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad :
|
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542837 |
On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16 |
2542305 |
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542301 |
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2541212 |
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2541029 |
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540753 |
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
|
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540444 |
SNMP incorrectly requires engine ID specification. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540352 |
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2540340 |
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540274 |
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540204 |
When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540192 |
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled. To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540155 |
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2540042 |
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails. To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540041 |
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540040 |
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540031 |
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2539994 |
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539962 |
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2539670 |
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539124 |
The net add interface command adds no ptm-enable for that interface in the frr.conf file. Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538790 |
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG. To restore connectivity, remove the VLAN ID from the bridge. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538590 |
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538562 |
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings. Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538294 |
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2537699 |
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2537544 |
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl ; for example, SNMP output from the BRIDGE-MIB. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2536576 |
If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware. |
4.0.0-4.4.5 | |
2536384 |
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2536256 |
For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
These packets are now policed by catch all rules. To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100. |
4.0.0-4.4.5 | |
2536242 |
On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. | 4.0.0-4.4.5 | |
2536179 |
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535986 |
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535965 |
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535723 |
The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF. | 4.0.0-4.4.5 | |
2535605 |
FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor. To work around this issue, add ttl-security to individual neighbors instead of the peer group. |
4.0.0-4.4.5 | |
2535209 |
The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. |
3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2534977 |
On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.4.5 | 3.7.14-3.7.16 |
2534734 |
Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | |
2533691 |
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2533625 |
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. |
4.0.0-4.4.5 | |
2533337 |
When you use NCLU to bring a bond admin down (net add bond ), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.To work around this issue, use the sudo ifdown command. |
4.0.0-4.4.5 | |
2531273 |
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information. |
4.0.0-4.4.5 |
Fixed Issues in 4.2.0
Issue ID | Description | Affects |
---|---|---|
2553000 |
When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094): * clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing. To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. |
3.7.12-3.7.13 |
2551771 |
When a specific PIM join/prune packet is received from a PIM neighbor the pimd process might crash with a core file. |
4.0.0-4.1.1 |
2551551 |
Some Dell N3048EP switches ship with an incompatible ONIE version. To install Cumulus Linux on the switch, you must upgrade ONIE to version 4.39.1.0-9. To download this version of ONIE, contact Dell. | |
2551429 |
Static routes in FRR with their next hop defined as a local IPv4 or IPv6 address are rejected with the following message:
To work around this issue, make sure to define static routes that are intended to point directly at a particular interface with the interface itself as the next hop instead of the address on that interface. For example:
|
|
2551387 |
When you try to retrieve the Q-BRIDGE-MIB::dot1qTpFdbTable (1.3.6.1.2.1.17.7.1.2.2), snmpd does not return any results. |
4.1.1 |
2550690 |
The following vulnerability has been announced that affects GnuTLS: CVE-2020-13777: GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. Vulnerable: <= 3.6.7-4+deb10u3 Fixed: 3.6.7-4+deb10u4 |
4.0.0-4.1.1 |
2550634 |
When VRF route leaking is configured, iBGP sessions might reset with the peer reporting:
The error is triggered by an UPDATE message that contains the EXTENDED_COMMUNITIES attribute with an empty list of extended communities. To work around this issue, apply an extended community with a route map using import in the importing VRF address family. Make sure that the route map contains the set extended community rt value:vaue command; for example, set extended community rt 11:22 . |
4.1.0-4.1.1 |
2550349 |
Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports. To work around this issue, restart switchd . |
3.7.10-3.7.13, 4.0.0-4.1.1 |
2550324 |
On the Mellanox switches with BFD configured, you might see high load averages. | 4.1.1 |
2550275 |
If packets with an invalid checksum are received, the cumulus-poe service might restart and you see log messages similar to the following:May 20 10:48:04.665635 leaf01 poed[8012]: ERROR : invalid checksum in response [0xC2:0x00] May 20 10:48:04.671299 leaf01 poed[8012]: poed : ERROR : invalid checksum in response [0xC2:0x00] May 20 10:48:04.708620 leaf01 systemd[1]: cumulus-poe.service: main process exited, code=exited, status=1/FAILURE The service starts automatically but there is an impact to POE devices momentarily. |
3.7.12, 4.0.0-4.1.1 |
2550264 |
The sx_sdk service may log errors and/or generate a core file when configuring breakout ports on Mellanox Spectrum platforms. The error message observed will be similar to the following:sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error This issue is resolved in Cumulus Linux 4.2.0 and above. |
4.1.1 |
2550244 |
Several vulnerabilities were discovered in BIND, a DNS server implementation. bind9-host (containing only /usr/bin/host ) and some libraries from the bind9 source package are installed on the switch by default; the BIND server referred to in these vulnerabilities is not installed by default but is available in the repository for optional installation.CVE-2019-6477: It was discovered that TCP-pipelined queries can bypass tcp-client limits resulting in denial of service. CVE-2020-8616: It was discovered that BIND does not sufficiently limit the number of fetches performed when processing referrals. An attacker can take advantage of this flaw to cause a denial of service (performance degradation) or use the recursing server in a reflection attack with a high amplification factor. CVE-2020-8617: It was discovered that a logic error in the code which checks TSIG validity can be used to trigger an assertion failure, resulting in denial of service. Vulnerable: 9.11.5.P4+dfsg-5.1 Fixed: 9.11.5.P4+dfsg-5.1+deb10u1 |
4.0.0-4.1.1 |
2550117 |
The following vulnerability has been announced in the apt package: CVE-2020-3810: Shuaibing Lu discovered that missing input validation in the ar/tar implementations of APT, the high level package manager, could result in denial of service when processing specially crafted deb files. Vulnerable: <= 1.8.2 Fixed: 1.8.2.1 |
4.0.0-4.1.1 |
2549958 |
When you move an interface from one VRF to another and modify the description in the same configuration operation, FRR crashes and restarts during a service reload. If these two changes occur in separate reloads, FRR does not crash. | 4.1.1 |
2549894 |
The Conntrack table fills up with OFFLOAD entries for flows that do not match the NAT rules in iptables . |
4.1.0-4.1.1 |
2549878 |
When NAT is configured, non-NAT traffic is incorrectly forwarded to the CPU. | 4.1.0-4.1.1 |
2549776 |
Configuration of interfaces fails to apply when you set FEC. You see a message similar to the following:
To work around this issue, reapply the configuration with NCLU and run the net commit or ifreload -a a second time to allow the interface configuration to apply. |
4.1.1 |
2549712 |
The following vulnerability affects the openldap package: CVE-2020-12243: A vulnerability was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. LDAP search filters with nested boolean expressions can result in denial of service (slapd daemon crash). Vulnerable: <= 2.4.47+dfsg-3+deb10u1 Fixed: 2.4.47+dfsg-3+deb10u2 |
4.0.0-4.1.1 |
2549677 |
After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1. To work around this issue, revert the configuration change. |
3.7.10-3.7.12, 4.0.0-4.1.1 |
2549671 |
On the Dell S4148T optical module, the low power polarity bit is set incorrectly and the switch port does not come up. To work around this issue, edit the /etc/hw_init.d/S10qsfp_init.sh file and change the lpmode line to be 0x3f instead of 0x00:
Reboot the switch and check that the switch port comes up. Important: Before upgrading Cumulus Linux 4.x with Debian packages that includes a fix for this problem, you must change the lpmode line back to 0x00. |
4.1.0-4.1.1 |
2549656 |
The following security vulnerabilities affect qemu packages, which are available for optional installation on Cumulus Linux: CVE-2019-12068: In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances ’s->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well. CVE-2019-15034: hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space. CVE-2019-20382: QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd. CVE-2020-1983: A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service. Vulnerable: <= 3.1+dfsg-8+deb10u4 Fixed: 3.1+dfsg-8+deb10u5 |
4.0.0-4.1.1 |
2549577 |
When you configure the management interface class (as shown below), eth0 remains in an admin down state on subsequent reboots:
|
4.1.0-4.1.1 |
2549472 |
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 |
2549385 |
FRR incorrectly orders advertise-all-vni to be later in the configuration than manual rd or route-target definitions. This causes the rd or route-target configuration to be misapplied or not applied at all.To work around this issue, when you manually configure the rd or route-target for a VNI, you must manually edit the /etc/frr/frr.conf file to define advertise-all-vni before the rd or route-target configuration within the l2vpn evpn address family. |
4.0.0-4.1.1 |
2549307 |
The following vulnerabilities affect git, which is available in the repository for optional installation: CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. |
3.7.12-4.1.1 |
2549269 |
On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in switchd.log :
To work around this issue, configure fewer than 16 bonds on a switch. |
4.1.0-4.1.1 |
2548998 |
On the Mellanox SN2010 and SN2100 switch, the fan speed might ramp up and down. | 4.1.0-4.1.1 |
2548988 |
On Mellanox switches, the thermal monitoring script starts in suspended mode and, as a result, the fans run at sixty percent. You also see the following log message:
To work around this issue, run the following command to enable thermal monitoring:
|
4.0.0-4.1.1 |
2548962 |
With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 |
2548920 |
If you try to remove BFD configuration with a reload, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object error.You see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configuration.To work around this issue, remove the default configuration lines; for example:
|
4.1.0-4.1.1 |
2548892 |
NTP does not start when you use the default VRF instead of the management VRF. | 4.1.0-4.1.1 |
2548855 |
Due to a packaging error, all switches installed from the same Cumulus Linux image have the same SSH host keys. This affects switches originally installed with Cumulus Linux 4.0.0 and 4.1.0 from a disk image only (including those that were upgraded by apt to a later release).As a result, this issue allows an attacker to more easily bypass remote host verification when a user connects by SSH to what is believed to be a previously used remote host but is really the attacker’s host. For example, this issue can be exploited by a spoofing or man-in-the-middle attack. To resolve this issue, generate new SSH host keys for any switch that has Cumulus Linux 4.0.0 or 4.1.0 installed on it:
After generating new SSH host keys, SSH clients that have previously logged into that switch will see a warning that the switch’s SSH host key changed; this is expected behavior. Be sure to inform anyone who may log in to the switch that you generated new SSH host keys. These users must log in to the affected switches with their SSH clients, where they will be given instructions on how to remove the old SSH host keys from the known hosts files to avoid a spoofing or man-in-the-middle attack directed at their SSH clients. *Notes* * This issue is fixed in Cumulus Linux 4.1.1. However, we recommend you generate new SSH host keys as this is the most reliable solution. * If you upgrade from Cumulus Linux 4.0.0 or 4.1.0 to version 4.1.1 or later using apt-get and you didn’t generate new SSH host keys, you will need to generate new SSH host keys after the upgrade.* If you perform a fresh install of Cumulus Linux 4.1.1 or later using a disk image, you will lose your existing local configuration. |
4.0.0-4.1.0 |
2548746 |
On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 |
2548674 |
A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact. To work around this issue, restart FRR. |
3.7.11-3.7.12, 4.0.0-4.1.1 |
2548586 |
After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. Note: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart switchd with the sudo systemctl restart switchd command. |
3.7.10-3.7.12, 4.1.0-4.1.1 |
2548561 |
On the EdgeCore Minipack-AS8000, when you try to configure ROCEv2, you see errors indicating that PFC is not working properly. | 4.0.0-4.1.1 |
2548496 |
Cumulus Linux supports a maximum of 300 ACLs for use with 802.1X interfaces. This limit encompasses the default ACLs, pre-auth ACLs and dynamic ACLs. Exceeding this limit can affect the performance of the switch. | 4.1.0-4.1.1 |
2548490 |
A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted. To work around this issue, reenter the redistribute <connected|static> route-map statement in the configuration. |
3.7.11-4.1.1 |
2548457 |
The global MTU setting in the mtu.json file does not take effect on SVI interfaces after ifreload -a . To work around this issue, run sudo systemctl restart networking or restart the switch. Note: A network restart is a disruptive operation. |
4.1.0-4.1.1 |
2548422 |
You might see a core file in FRRouting related to OSPFv3 if the switch is configured as both an OSPFv3 ABR and ASBR, and other switches in the same area are also configured as both ABR and ASBR. This issue is not seen with a single ABR or ASBR in an area or if there are multiple ASBRs in an area not acting as ABRs. To work around this issue, do not perform redistribution on more than one ABR in the same area. | 4.0.0-4.1.1 |
2548383 |
The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 |
2548373 |
On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.1.1 |
2548320 |
When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. |
4.0.0-4.1.1 |
2548308 |
When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory. |
3.7.11-3.7.12, 4.1.0-4.1.1 |
2548286 |
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-10125 CVE-2019-15239 CVE-2019-19927 CVE-2019-19062 CVE-2019-19252 CVE-2019-19767 CVE-2019-19922For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux | 4.1.0-4.1.1 |
2548275 |
On the QuantaMesh BMS T5032-LY6 switch, when you run the hwclock command, you might see the error hwclock: select() to /dev/rtc0 to wait for clock tick timed out . |
4.1.0-4.1.1 |
2548242 |
On the Mellanox SN3800 switch, when you run sudo -E apt-get update , then sudo -E apt get upgrade , you see a dialog prompting you for the interface on which to run DHCP, followed by a request for DHCP relay options. You can ignore this dialog and press enter to continue with the upgrade. |
4.1.0-4.1.1 |
2548197 |
On the Mellanox SN3800 switch, when you remove the PSU, smonctl reports that the PSU is BAD instead of ABSENT . |
4.1.0-4.1.1 |
2548194 |
On the Mellanox SN3800 switch, when you remove a fan tray, smonctl reports that the fan is LOW instead of ABSENT . |
4.1.0-4.1.1 |
2548151 |
On the Mellanox Spectrum switch in an EVPN symmetric configuration with MLAG, simultaneously shutting down the layer 3 interfaces that serve as uplinks to the VXLAN fabric might result in traffic loss of up to 15 seconds. | 4.1.0-4.1.1 |
2548113 |
In OVSDB VLAN-aware mode, removing a VTEP binding on the NSX controller fails to clean up all interfaces associated with the logical switch. | 3.7.12, 4.0.0-4.1.1 |
2548024 |
On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports. swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue. |
3.7.11-4.1.1 |
2547839 |
When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. |
3.7.11-4.1.1 |
2547783 |
PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-3.7.13, 4.0.0-4.1.1 |
2547667 |
On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. |
3.7.11-3.7.12, 4.0.0-4.1.1 |
2547610 |
Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do not have this issue. |
3.7.11-3.7.12, 4.0.0-4.1.1 |
2547340 |
When host-resources and ucd-snmp-mib are polled, you see permission denied messages similar to the following:
|
3.7.13, 4.0.0-4.1.1 |
2547245 |
The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:
|
3.7.10-3.7.13, 4.0.0-4.1.1 |
2547123 |
On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 |
2547100 |
On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 |
2546951 |
switchd crashes when dynamic VRF route leaking is enabled and the following is true:* The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ( vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file). You might see logs similar to the following in /var/log/syslog :
To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). |
3.7.10-3.7.12, 4.0.0-4.1.1 |
2546485 |
The EdgeCore Minipack-AS8000 switch supports FEC RS by default; you cannot disable this setting. However, the ethtool –show-fec command output indicates that FEC is disabled. Also, if you try to change the FEC setting, Cumulus Linux reports an error. For example:
|
4.0.0-4.1.1 |
2546337 |
The net show bridge macs command returns an empty interface column.To work around this issue, run the bridge fdb show command to show the interface. |
4.0.0-4.1.1 |
2545933 |
Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.To work around this issue, disable BFD to alleviate some of the CPU load. |
3.7.13, 4.0.0-4.1.1 |
2545536 |
On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 |
2545352 |
With a high number of active routes (20K or more), when you perform a networking restart, the FRR log files might become flooded with error messages associated with the restart. These logs are normal and are not directly a problem. However, the large number of messages can cause the logs to rotate away any previous history, which prevents you from tracing back events leading up to the restart. In a troubleshooting environment, this can be problematic. | 4.0.0-4.1.1 |
2545164 |
On the Mellanox switch with the Spectrum 2 ASIC, interfaces using 100G or 200G Direct Attach Cables (DACs) do not come up with the interface default configuration. To work around this issue and bring the interfaces up, perform the following configuration on both sides of the link: * Set the interface speed to the desired speed * Set link auto-negotiation to _off_ * Set link FEC to RS mode |
4.0.0-4.1.1 |
2545054 |
When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons ( |
4.0.0-4.1.1 |
2544904 |
After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements. To work around this issue, restart FRR after removing the IPv6 numbered configuration. |
3.7.9-4.1.1 |
2544856 |
In the ethool -m output, the Revision Compliance field might show Unallocated when the SFF-8363 Revision Compliance value is SFF-8636 version 2.8 or later. |
4.0.0-4.1.1 |
2544556 |
If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst ), an invalid configuration is added to the /etc/ntp.conf file. For example:
If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. |
3.7.9-4.1.1 |
2543668 |
On the EdgeCore AS4610 switch, the ping command fails unless you run the command with sudo . To work around this issue, run the following commands:
Run the following command to verify the workaround:
You should see the following output:
|
3.7.6-3.7.10, 4.1.0-4.1.1 |
2543649 |
You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
|
3.7.6-3.7.12, 4.0.0-4.1.1 |
2543270 |
The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.To work around this issue, rely on a different source of default route other than injection with default-information originate . |
3.7.8-4.1.1 |
2542979 |
On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. |
3.7.7-4.1.1 |
2540950 |
On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status. |
3.7.3-4.1.1 |
2535706 |
On the Mellanox switch, GRE tunneling does not work if the tunnel source is configured on an SVI interface. If the tunnel source is configured on a physical switch port, then tunneling works as expected. | 4.0.0-4.1.1 |