Ciena Vyatta 5600 vRouter software patches (current)
On 31 December 2022, all 1912 versions of IBM Cloud Virtual Router Appliance will be deprecated and no longer supported. To maintain your current functionality, be sure to update to version 2012, 2110 or 2204 prior to 31 December 2022 by opening a support case and requesting an updated ISO. Once you receive your ISO, you can then follow the instructions for Upgrading the OS to finish updating your version.
As of January 2022, all 1801 versions of IBM Cloud Virtual Router Appliance (VRA) are deprecated and no longer supported. To maintain support for your VRA, be sure to update to version 2012, 2110, or 2204 as soon as possible by opening a support case and requesting an updated ISO. Once you receive your ISO, you can then follow the instructions for Upgrading the OS to finish updating your version.
Latest patch received: November 12 2024
Latest documentation published: March 7, 2024
This document lists the patches for the currently supported versions of Vyatta Network OS 5600. Patches are named with a lowercase letter, excluding “i”, “o”, “l”, and “x”.
When multiple CVE numbers are addressed in a single update, the highest CVSS score is listed.
For the latest full release notes, please review the release notes in Ciena's Vyatta documentation or open a support case. For archived patch information for the Vyatta 5600 OS older than 17.2, see this topic.
2208d
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-65273 | Major | Unicast traffic on sw0 forwarded to all switch ports |
VRVDR-65254 | Major | Allow AS command stops working after device gets Reboot |
VRVDR-65051 | Major | BGP daemon crash in KA thread |
VRVDR-65040 | Critical | BGP does not advertise 0.0.0.0/x subnet |
VRVDR-65001 | Major | When using a resource group to block SSH port no:22 and protocol TCP, it is blocking all the TCP traffic. |
VRVDR-64978 | Major | Traceback Error: /system/hardware/frus/fru: Failed to run state fn causing ipsec outage |
VRVDR-64966 | Major | IPSec: SPI mismatch between dataplane and controlplane |
VRVDR-64858 | Major | Error Log: /interfaces/bonding/dp0bond2/vrrp: Node exists log message after upgrade to 2308C |
VRVDR-64834 | Major | Tacacs user not able to SSH directly connected device |
VRVDR-64818 | Critical | dataplane crashing even after removing sflow when upgraded to 2204g |
VRVDR-64788 | Critical | Coredumps observed after device upgrade to 2204g with sflow configuration |
VRVDR-64749 | Critical | LACP bonding interfaces are flapping after upgrade to 2308c |
VRVDR-64747 | Critical | Dataplane crashes after upgrade from 2012p to 2204g with sflow configuration |
VRVDR-64621 | Minor | IPsec phase 2 rekeying timer showing negative values |
VRVDR-64584 | Minor | CLI error message(Error: vici: malformed message: expected beginning of message element) coming when using show vpn commands |
VRVDR-64454 | Major | VRRP Route Tracking not working correctly |
VRVDR-64357 | Minor | Error Log: "vyatta-dataplane.service[dataplane[2719]:] DATAPLANE: Failed pack expired session xxx" |
VRVDR-64247 | Major | Support for Mellanox MT28850 ConnectX-6 |
VRVDR-64246 | Major | Configuring/Enabling virtio interface on Vyatta crashes virtual machine |
VRVDR-64242 | Major | 'show arp' operational command returns access errors for operator level user |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-65540 | 7.5 | DLA-3935-1 | Debian dla-3935 : distro-info-data - security update |
VRVDR-65515 | 6.5 | DLA-3922-1 | CVE-2023-23931, CVE-2023-49083: Debian dla-3922 : python-cryptography-doc - security update |
VRVDR-65479 | 7.8 | DLA-3910-1 | CVE-2022-1304: Debian dla-3910 : comerr-dev - security update |
VRVDR-65471 | 7.3 | DLA-3907-1 | CVE-2021-36690, CVE-2023-7104: Debian dla-3907 : lemon - security update |
VRVDR-65470 | 9.8 | DLA-3906-1 | Debian dla-3906 : libwireshark-data - security update |
VRVDR-65457 | 5.3 | DLA-3898-1 | CVE-2024-28182: Debian dla-3898 : libnghttp2-14 - security update |
VRVDR-65432 | 4.9 | DLA-3891-1 | CVE-2024-21096: Debian dla-3891 : libmariadb-dev - security update |
VRVDR-65377 | 6.1 | DLA-3878-1 | CVE-2016-3709, CVE-2022-2309: Debian dla-3878 : libxml2 - security update |
VRVDR-65376 | 5.9 | DLA-3876-1 | CVE-2022-40897, CVE-2024-6345: Debian dla-3876 : python-setuptools-doc - security update |
VRVDR-65375 | 5.3 | DLA-3875-1 | Nessus Scan: CVE-2024-28834, CVE-2024-28835: Debian dla-3875 : gnutls-bin - security update |
VRVDR-65363 | 5.9 | DLA-3859-1 | CVE-2023-7008, CVE-2023-50387, CVE-2023-50868: Debian dla-3859 : libnss-myhostname - security update |
VRVDR-65153 | 7.5 | DSA-5734-1 | CVE-2024-0760 CVE-2024-1737 CVE-2024-1975 CVE-2024-4076: [DSA 5734-1] bind9 security update |
VRVDR-65092 | 7.8 | DSA-5730-1 | [DSA 5730-1] linux security update |
VRVDR-65071 | 9.1 | DSA-5726-1 | CVE-2024-37370, CVE-2024-37371: Debian dsa-5726 : krb5-admin-server - security update |
VRVDR-64980 | 7.8 | DSA-5702-1 | CVE-2024-4453: [DSA 5702-1] gst-plugins-base1.0 security update |
VRVDR-64836 | 8.1 | DSA-5682-2 | CVE-2024-34397: [DSA 5682-2] glib2.0 regression update |
VRVDR-64820 | 8.6 | DSA-5679-1 | CVE-2022-48624, CVE-2024-32487: Debian dsa-5679 : less - security update |
VRVDR-64819 | 9.7 | DSA-5678-1 | CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602: Debian dsa-5678 : glibc-doc - security update |
VRVDR-64708 | 8.2 | DSA-5673-1 | CVE-2024-2961: Debian dsa-5673 : glibc-doc - security update |
VRVDR-63307 | 6.5 | DSA-5559-1 | [DSA 5559-1] wireshark security update |
VRVDR-61797 | 5.9 | DSA-5477-1 | CVE-2022-2127, CVE-2023-3347, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968: Debian DSA-5477-1 : samba - security update |
New features
No new features or commands were added in this version. There is one potential known issue:
For 2208d, when a Vyatta is provisioned, there are only two interfaces on the device, dp0bond0
and dp0bond1
. You must add a VIF for any associated VLANs the Vyatta will be routing for. The first time you add a VIF
to dp0bond0
or dp0bond1
with VRRP configuration, the device will fail over. For example, if you add a VIF for VLAN 1000 to dp0bond0
, and it is the first VIF you configure, then the Vyatta will execute
a failover once it is provisioned. As a result, if it the Vyatta is set as master, it will become backup. However, if you add a second VIF to the same interface, it will not fail over unless you add a VIF to the other interface for the first
time. Subsequent VIF configurations will not cause a failover, until you remove them all. Removing the last VIF from an interface also prompts a failover. As a result, removing all VIFs from dp0bond0
will cause it to failover
as a backup. This is the only known issue for this version.
This version has not yet been completely tested against x540 NICs. Keep this in mind if you are upgrading.
2204h
Issues resolved
This version contains mitigation for the Terrapin SSH attack. A properly patched client and server will not have this vulnerability, but the client must support a strict key exchange for this to be fully mitigated.
Issue Number | Priority | Summary |
---|---|---|
VRVDR-64818 | Critical | Dataplane crashing when upgrading to 2204g |
VRVDR-64788 | Critical | Coredumps observed after device upgrade to 2204g with sflow configuration |
VRVDR-64787 | Critical | Dataplane crash observed after upgrade to 2204g |
VRVDR-64747 | Critical | Dataplane crashes after upgrade to 2204g with sflow configuration |
VRVDR-64621 | Minor | IPsec phase 2 rekeying timer showing negative values |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-64843 | 6.5 | DLA-3811-1 | CVE-2024-3651: Debian dla-3811 : pypy-idna - security update |
VRVDR-64821 | 8.2 | DLA-3807-1 | CVE-2024-2961: Debian dla-3807 : glibc-doc - security update |
VRVDR-64784 | 7.2 | DLA-3806-1 | Debian dla-3806 : distro-info-data - security update |
VRVDR-64776 | 5.3 | DLA-3804-1 | CVE-2024-28182: Debian dla-3804 : libnghttp2-14 - security update |
VRVDR-64696 | 7.5 | DLA-3789-1 | Debian dla-3789 : libdatetime-timezone-perl - security update |
VRVDR-64695 | 7.3 | DLA-3788-1 | Debian dla-3788 : tzdata - security update |
VRVDR-64596 | 7.5 | DLA-3783-1 | CVE-2023-52425: Debian dla-3783 : expat - security update |
VRVDR-64586 | 5.5 | DLA-3782-1 | CVE-2021-37600, CVE-2024-28085: Debian dla-3782 : bsdutils - security update |
VRVDR-64478 | 7.8 | DLA-3772-1 | CVE-2023-6597, CVE-2024-0450: Debian dla-3772 : idle-python3.7 - security update |
VRVDR-64477 | 6.2 | DLA-3771-1 | CVE-2024-0450: Debian dla-3771 : idle-python2.7 security update |
VRVDR-64411 | 8.8 | DLA-3763-1 | CVE-2023-27534: Debian dla-3763 : curl - security update |
VRVDR-64367 | 7.1 | DLA-3759-1 | CVE-2023-2861, CVE-2023-3354, CVE-2023-5088: Debian dla-3759 : qemu - security update libtiff-dev - security update |
VRVDR-64365 | 7.5 | DLA-3757-1 | CVE-2023-5388, CVE-2024-0743: Debian dla-3757 : libnss3 - security update |
VRVDR-64314 | 2.8 | DLA-3755-1 | Debian dla-3755 : tar - security update |
VRVDR-64179 | 7.5 | DLA-3746-1 | CVE-2023-4511, CVE-2023-4513, CVE-2023-6175, CVE-2024-0208:Debian dla-3746 : libwireshark-data - |
security update | |||
VRVDR-64106 | 7.5 | DLA-3740-1 | CVE-2023-5981, CVE-2024-0553: Debian dla-3740 : gnutls-bin |
New features
No new features or commands added in this version
2308c
Issues resolved
This version contains mitigation for the Terrapin SSH attack. A properly patched client and server will not have this vulnerability, but the client must support a strict key exchange for this to be fully mitigated.
Issue Number | Priority | Summary |
---|---|---|
VRVDR-64312 | Major | Unable to add multiple path monitor/policy pairs under a single VRRP group |
VRVDR-64042 | Critical | LACP Bonding, comprised of Intel X540/X520, transmits untagged ARP packets on vlan (802.1q) interfaces |
VRVDR-63951 | Critical | LACP Bonding, comprised of Intel X710, transmits untagged ARP packets on vlan (802.1q) interfaces |
VRVDR-63861 | Critical | SSH fails to start after upgrade to 2308a |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-64313 | 7.3 | DSA-5638-1 | CVE-2024-24806: Debian dsa-5638 : libuv1 - security update |
VRVDR-63936 | 7.5 | DSA-5621-1 | CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868: Debian dsa-5621 : bind9 - security update |
New features
The 2308 branch is based on Debian 11. All the previous Vyatta releases are bsaed on Debian 10, so many of the underlying binaries and libraries on the OS have been upgraded to various different versions, from SSH to the IPsec daemon amongst others.
Known issues
Removing a VIF that is participating in VRRP on the master device can prompt a failover. This isn't strictly a bug, but rather in how the keepalived process is managing the removal of the interface. The failover occurs because when the interface
is removed from the VRRP configuration, the keepalived process sends out a final VRRP broadcast message from the VIF that you are removing with a priority of 0
. This is a special priority to indicate that the device is no longer
participating in VRRP on this broadcast domain. The backup device receives this 0
priority packet and interprets this as the master is shutting down. After a few milliseconds, the backup assumes control of the pair and becomes
master itself. (Simply adding or removing IPs from the interface does not appear to cause this problem, only deleting the interface entirely.)
Workaround: If you are removing a VIF entirely from a device, remove the VIF from the backup first. This action does not prompt a failover. IBM is discussing this behavior with the vendor to see if this behavior can be altered since previously removing a VIF didn't cause this unexpected behavior.
2204g
Issues resolved
This version contains mitigation for the Terrapin SSH attack. A properly patched client and server will not have this vulnerability, but the client must support a strict key exchange for this to be fully mitigated.
Issue Number | Priority | Summary |
---|---|---|
VRVDR-63709 | Major | Upgrade from 2012g to 2204f cause error "querying policy failed: Invalid |
argument (22)" | ||
VRVDR-63659 | Major | Mellanox MT28800 ConnectX-5 SR-IOV : interface is down with configured |
jumbo MTU | ||
VRVDR-62364 | Critical | Mellanox MT28800 ConnectX-5 SR-IOV : interface is down after configuring |
jumbo MTU | ||
VRVDR-62355 | Major | Mellanox MT28800 ConnectX-5 : receiving jumbo frame on non-jumbo |
configured interface causes dataplane crash | ||
VRVDR-61066 | Major | Community list configuration accepts alpha numeric community values |
VRVDR-60048 | Critical | Flapping BGP Default route during IPv6 Failure |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-63878 | 8.8 | DLA-3732-1 | CVE-2023-7090, CVE-2023-28486, CVE-2023-28487:Debian dla-3732 : sudo - security update |
VRVDR-63866 | 7.5 | DLA-3726-1 | CVE-2023-3341: Debian dla-3726 : bind9 - security update |
VRVDR-63808 | 4.9 | DLA-3722-1 | CVE-2023-22084: Debian dla-3722 : libmariadb-dev -security update |
VRVDR-63807 | 6.1 | DLA-3715-1 | CVE-2024-22195: Debian dla-3715 : python-jinja2 -security update |
VRVDR-63718 | 9.8 | DLA-3711-1 | Debian dla-3711 : linux-config-5.10 - security update |
VRVDR-63601 | 6.5 | DLA-3692-1 | CVE-2023-28322, CVE-2023-46218: Debian DLA-3692-1 : curl - LTS security update |
VRVDR-63600 | 7.1 | DLA-3689-1 | CVE-2020-0556, CVE-2023-45866: Debian DLA-3689-1 : bluez - LTS security update |
VRVDR-63432 | 6.7 | DLA-3682-1 | CVE-2021-39537, CVE-2023-29491: Debian DLA-3682-1 : ncurses - LTS security update |
VRVDR-63358 | 7.5 | DLA-3660-1 | CVE-2023-5981: Debian DLA-3660-1 : gnutls28 - LTSsecurity update |
VRVDR-63175 | 7.1 | DLA-3649-1 | CVE-2023-43803: Debian DLA-3649-1 : python-urllib3- LTS security update |
VRVDR-63133 | 7.5 | DLA-3646-1 | CVE-2023-34058, CVE-2023-34059: Debian DLA-3646-1 : open-vm-tools - LTS security update |
VRVDR-63021 | 7.2 | DLA-3639-1 | Debian DLA-3639-1 : distro-info-data - LTS databaseupdate |
VRVDR-62708 | 7.5 | DLA-3634-1 | CVE-2020-25648, CVE-2023-4421: Debian DLA-3634-1 : nss - LTS security update |
VRVDR-62675 | 7.2 | DLA-3629-1 | CVE-2019-10222, CVE-2020-1700, CVE-2020-1760,CVE-2020-10753, CVE-2020-12059, CVE-2020-25678,CVE-2020-27781, CVE-2021-3524,CVE-2021-3531,CVE-2021-3979, CVE-2021-20288, CVE-2023-43040:Debian DLA-3629-1 : ceph - LTS security update |
VRVDR-62674 | 6.5 | DLA-3628-1 | CVE-2023-34969: Debian DLA-3628-1 : dbus - LTS security update |
VRVDR-62511 | 6.5 | DLA-3626-1 CVE-2023-36054: Debian DLA-3626-1 : krb5 - LTS security update | |
VRVDR-62466 | 7.5 | DLA-3621-1 | CVE-2020-11080, CVE-2023-44487: Debian DLA-3621-1 : nghttp2 - LTS security update |
VRVDR-62378 | 9.8 | DLA-3614-1 | CVE-2022-48560, CVE-2022-48564, CVE-2022-48565,CVE-2022-48566, CVE-2023-40217: Debian DLA-3614-1 : python3.7 - LTS security update |
VRVDR-62377 | 5.9 | DLA-3613-1 | CVE-2023-28321, CVE-2023-38546: Debian DLA 3613-1 : curl - LTS security update |
VRVDR-62332 | 9.8 | DLA-3610-1 | CVE-2018-20060, CVE-2019-9740, CVE-2019-11236,CVE-2019-11324, CVE-2020-26116, CVE-2020-26137,CVE-2023-43804: Debian DLA-3610-1 : python-urllib3 - LTS security update |
VRVDR-62321 | 8.1 | DLA-3604-1 | CVE-2020-24165, CVE-2023-0330, CVE-2023-3180:Debian DLA-3604-1 : qemu - LTS security update |
VRVDR-62320 | 5.3 | DLA-3602-1 | CVE-2023-43785 CVE-2023-43786 CVE-2023-43787:Debian DLA-3602-1 : libx11 - LTS security update |
VRVDR-62319 | 9.8 | DLA-3605-1 | CVE-2023-4692, CVE-2023-4693: Debian DLA-3605-1: grub2 - LTS security update |
VRVDR-62290 | 7.5 | DLA-3597-1 | CVE-2023-20900: Debian DLA-3597-1 : open-vm tools - LTS security update |
VRVDR-62282 | 7.8 | DLA-3588-1 | CVE-2023-4752, CVE-2023-4781: Debian DLA-3588-1: vim - LTS security update |
VRVDR-62281 | 6.5 | DLA-3586-1 | CVE-2020-19189: Debian DLA-3586-1 : ncurses - LTS security update |
VRVDR-58905 | 7.5 | CVE-2022 40617 | strongSwan: CVE-2022-40617 / Untrusted URIs for Revocation Checking might lead to DoS |
New features
VRVDR-62366 | Major | VRRP: Adding or Removing VRRP causes ALL virtual routers to change the state with "preempt true" |
VRVDR-60048 | Flapping BGP Default route during IPv6 failure |
Avoids resolving the BGP nexthop using the default route or through a unicast BGP route, as this can lead to constant BGP route installation churn in the rib, due to alternative BGP bestpath selection.
VRVDR-62366 | VRRP: Adding or Removing VRRP causes ALL virtual routers to change the state with "preempt true" |
VRRP now preserves the state of VRRP groups across configuration changes regardless of preempt setting. Previously, this preservation was only applied to VRRP groups configured with preempt set to false.
2308a
Issues resolved
This version contains fixes for previous issues regarding x540 NICs and VRRP.
Issue Number | Priority | Summary |
---|---|---|
VRVDR-62331 | Critical | Inconsistency in successful user authentication logs seen when login via |
telnet, ssh and tacacs+ user | ||
VRVDR-62257 | Critical | HTTP(S) traffic not being categorised as "type web" |
VRVDR-62228 | Major | Fix puncher log message |
VRVDR-61939 | Blocker | Telemetry Service rejects valid paths as invalid |
VRVDR-61856 | Major | BGP: graceful shutdown timer not inherited |
VRVDR-61372 | Critical | BGP: atomic agg route-map not applied for existing route |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-62998 | 7.5 | DSA-5543-1 CVE-2023-34058, CVE-2023-34059: Debian DSA- | |
5543-1 : open-vm-tools - security update | |||
VRVDR-62671 | 9.1 | DSA-5533-1 [DSA 5533-1] gst-plugins-bad1.0 security update | |
VRVDR-62316 | 9.8 | DSA-5519-1 CVE-2023-4692, CVE-2023-4693: Debian DSA-5519-1: grub2 - security update | |
VRVDR-62307 | 5.3 | DSA-5517-1 CVE-2023-43785 CVE-2023-43786 CVE-2023-43787: | |
[DSA 5517-1] libx11 security update | VRVDR-62273 | 6.5 | |
Debian DSA-5514-1 : glibc - security update | |||
VRVDR-62219 | 9.8 | DSA-5505-1 CVE-2023-41910: Debian DSA-5505-1 : lldpd - security update | |
VRVDR-62211 | 7.5 | DSA-5504-1 CVE-2023-3341, CVE-2023-4236: Debian DSA-5504-1: bind9 - security update | |
VRVDR-62162 | 8.8 | DSA-5497-2 [DSA 5497-2] libwebp security update | |
VRVDR-62152 | 8.8 | DSA-5497-1 [DSA 5497-1] libwebp security update | |
VRVDR-61935 | 7.5 | DSA-5475-1 CVE-2022-40982, CVE-2023-20569: Debian DSA-5475-1 : linux - security update | |
VRVDR-61866 | 7.8 | DSA-5480-1 [DSA-5480-1] : linux - security update | |
VRVDR-61790 | 7.8 | DSA-5476-1 [DSA 5476-1] gst-plugins-ugly1.0 security update | |
VRVDR-61727 | 7.1 | DSA-5448-1 [DSA 5448-1] linux security update |
2204f
Issues resolved
This version contains fixes for previous issues regarding x540 NICs and VRRP.
Issue Number | Priority | Summary |
---|---|---|
VRVDR-61825 | Major | QoS Shaper does not work for Mellanox ConnectX-5 |
VRVDR-61678 Major | VRRP state stays as Master-Master with net_ixgbe interface driver | |
VRVDR-61556 Major | dataplane crash in MLX5 poll mode driver | |
VRVDR-61510 Major | bonding interface is down after “ICR0: malicious programming detected” message for i40e pmd driver | |
VRVDR-61276 | Critical | Dataplane/RIBd crash causes VRRP failover |
VRVDR-60872 | Major | opd.log file continuously increasing causing disk space consumption and issues |
VRVDR-60589 | Major | New VRRPv3 VIF within routing-instance shows FAULT state |
VRVDR-60453 | Major | Mellanox ConnectX-5 VF interfaces fail to initialize on 16 CPU systems |
VRVDR-46123 | Critical | Copy Command: SCP copy give curl: (67) Authentication failure when no password given |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-62201 | 9.8 | DLA-3575-1 CVE-2021-23336, CVE-2022-0391, CVE-2022-48560, CVE-2022-48565, CVE-2022-48566, CVE-2023-24329, CVE-2023-40217: Debian DLA-3575-1 : python2.7 - LTS security update | |
VRVDR-62185 | 9.8 | DLA-3567-1 CVE-2020-22217: Debian DLA-3567-1 : c-ares - LTS security update | |
VRVDR-61846 | 9.8 | DLA-3532-1 CVE-2023-38408: Debian DLA-3532-1 : openssh - LTS security update | |
VRVDR-62184 | 9.6 | DLA-35750-1 CVE-2023-4863: Debian DLA-3570-1 : libwebp - LTS security update | |
VRVDR-62107 | 8.1 | DLA-3559-1 CVE-2019-13115, CVE-2019-17498, CVE-2020-22218: Debian DLA-3559-1 : libssh2 - LTS security update | |
VRVDR-60642 | 5.4 | DLA-3388-1 CVE-2021-44225: Debian DLA-3388-1 : keepalived - LTS security update | |
VRVDR-61843 | 5.3 | DLA-3530-1 CVE-2023-3446, CVE-2023-3817: Debian DLA-3530-1 : openssl - LTS security update | |
VRVDR-61845 | 3.9 | DLA-3531-1 CVE-2023-20867: Debian DLA-3531-1 : open-vm-tools - LTS security update |
2204e
Issues resolved
Vyatta gateway appliances using the Intel X540 series NIC have been encountering VRRP issues. Only upgrade to 2204e if your gateway appliance uses the X710 series NIC. For gateways with X540's, you should use the latest 2012 version until
the VRRP issues are fixed in 2204. The lspci | grep Eth
command shows the type of NIC on your Vyatta.
Issue Number | Priority | Summary |
---|---|---|
VRVDR-61123 | Critical | VRRPv3 IPv6 RFC: disabling preemption causes failover |
VRVDR-60873 | Critical | BGP flaps when add/removing vfp or vip interfaces causing outage |
VRVDR-60797 | Blocker | eBGP neighbors are not getting established |
VRVDR-60699 | Minor | VIF removal causes VRRP to failover |
VRVDR-60644 | Major | Route-map action change doesn't propagate to Quagga level |
VRVDR-60580 | Critical | Dataplane fails to restart if random-detect is configured |
VRVDR-60386 | Major | Creating new VIF causes a VRRP failover (of interfaces in same sync-group) |
VRVDR-60065 | Major | Memory leaks in DPDK and dataplane |
VRVDR-60041 | Major | Upgrading from 1912t to 2012n, segfault took place (dp/master-csync) |
VRVDR-60008 | Major | PAM account management error: Permission denied |
VRVDR-59856 | Major | VRRP Holding msg missing from Minster |
VRVDR-59610 | Critical | Dataplane crash in cds_lfht_first on spoke2 |
VRVDR-59057 | Critical | Dataplane interface TX and RX queue allocation in 2204c less than expected when compared to 2110f |
VRVDR-58646 | Blocker | Increase description field lengths |
VRVDR-58593 | Critical | dataplane/bfd: rc/zsock.c:88: zsock_new_checked: Assertion `self->handle' failed |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-60682 | 9.8 | DLA-3398-1 | CVE-2023-27533, CVE-2023-27535, CVE-2023-27536, CVE-2023-27538: Debian DLA-3398-1 : curl - LTS security update |
VRVDR-60648 | 7.5 | DLA-3393-1 | CVE-2021-22569, CVE-2021-22570, CVE-2022-1941:Debian DLA-3393-1 : protobuf - LTS security update |
VRVDR-60604 | 7.5 | DLA-3389-1 | CVE-2020-27827, CVE-2021-43612: Debian DLA-3389-1 : lldpd - LTS security update |
VRVDR-60559 | 5.9 | DLA-3374-1 | CVE-2023-27371: Debian DLA-3374-1 : libmicrohttpd - LTS security update |
VRVDR-60552 | 7.8 | DLA-3377-1 | CVE-2023-26604: Debian DLA-3377-1 : systemd - LTS security update |
VRVDR-60496 | 5.5 | DSA-5378-1 | CVE-2022-23824, CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334: Debian DSA-5378-1 : xen - security update |
VRVDR-60489 | 8.6 | DLA-3367-1 | Debian DLA-3367-1 : libdatetime-timezone-perl - LTS security update |
VRVDR-60488 | 8.6 | DLA-3366-1 | Debian DLA-3366-1 : tzdata - LTS security update |
VRVDR-60448 | 9.1 | DLA-3363-1 | CVE-2019-20454, CVE-2022-1586, CVE-2022-1587: Debian DLA-3363-1 : pcre2 - LTS security update |
VRVDR-60447 | 8.6 | DLA-3355-1 | Debian DLA-3355-1 : xapian-core - LTS security update |
VRVDR-60407 | 8.8 | DLA-3362-1 | CVE-2020-14394, CVE-2020-17380, CVE-2020-29130, CVE-2021-3409, CVE-2021-3592, CVE-2021-3593, CVE-2021-3594, CVE-2021-3595, CVE-2022-0216, CVE-2022-1050: Debian DLA-3362-1 : qemu - LTS security update |
VRVDR-60266 | 8.6 | DLA-3337-1 | Debian DLA-3337-1 : mariadb-10.3 - LTS security update |
VRVDR-60264 | 5.5 | DLA-3333-1 | CVE-2023-0795, CVE-2023-0796, CVE-2023-0797, CVE-2023-0798, CVE-2023-0799, CVE-2023-0800, CVE-2023-0801, CVE-2023-0802, CVE-2023-0803, CVE-2023-0804Debian DLA-3333-1 : tiff - LTS security update |
VRVDR-60263 | 9.1 | DLA-3327-1 | CVE-2020-6829, CVE-2020-12400, CVE-2020-12401, CVE-2020-12403, CVE-2023-0767: Debian DLA-3327-1 : nss - LTS security update |
VRVDR-60237 | 6.5 | DLA-3331-1 | Nessus Scan: CVE-2023-23931: Debian DLA-3331-1 : python-cryptography - LTS security update |
VRVDR-60234 | 7.4 | DLA-3325-1 | CVE-2022-2097, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286: Debian DLA-3325-1 : openssl - LTS security update |
VRVDR-60210 | 7.5 | DLA-3323-1 | CVE-2022-4904: Debian DLA-3323-1 : c-ares - LTS security update |
VRVDR-60202 | 5.9 | DLA-3321-1 | CVE-2023-0361: Debian DLA-3321-1 : gnutls28 - LTS security update |
VRVDR-60171 | 6.5 | DLA-3313-1 | CVE-2022-4345, CVE-2023-0411, CVE-2023-0412, CVE-2023-0413, CVE-2023-0415, CVE-2023-0417:Debian DLA-3313-1 : wireshark - LTS security update |
VRVDR-60132 | 8.6 | DLA-3312-1 | Debian DLA-3312-1 : shim - LTS security update |
2012p
Issues Resolved
Because of VRRP issues and bugs in version 2012, deleting a VIF on the primary Vyatta will cause a failover for all other interfaces in the same sync-group. In addition, disabling an interface on the primary Vyatta will cause all interfaces
in the same sync-group as that interface to fault. To avoid this failover, you can change the sync-group of the interface to a non-default setting before disabling or deleting it. If you want to add the interface back into the configuration,
or if you want to reenable the interface, commit that change before adding it back into the original sync-group. Otherwise, the same failover will occur again. You should also validate that your firewall policies allow VRRP and that your
VRRP configurations -- such as preempt false
, priority
(253 on the default backup and 254 on the default primary) and advertise-interval
(the default is 1) -- are all set to the same value for each
VIF. This is required in order to have a stable VRRP cluster.
Issue Number | Priority | Summary |
---|---|---|
VRVDR-60094 | Major | VRRP doesn't function properly if multiple vrrp-instances have same vrrp-sync-group configured |
VRVDR-60065 | Major | Memory leaks in DPDK and dataplane |
VRVDR-60041 | Major | Upgrading from 1912t to 2012n, segfault took place (dp/mastercsync) |
VRVDR-60008 | Major | PAM account management error: Permission denied |
VRVDR-59602 | Major | VRRP transitions from MASTER to BACKUP when new VIF interface is created |
VRVDR-59174 | Major | IPsec fails to start after upgrade to 2012m and VRRP failover |
VRVDR-59062 | Major | IPsec failing on reboot after upgrade from 1912 to 2012m |
VRVDR-55060 | Critical | ribd coredump in zv_exp_l_string |
VRVDR-54588 | Major | Values returned for vyatta-system-v1/system/cpu-history/cpu-data do not conform to YANG model |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-60496 | 5.5 | DSA-5378-1 | CVE-2022-23824, CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334: Debian DSA-5378-1 : xen - security update |
VRVDR-60489 | N/A | DLA-3367-1 | Debian DLA-3367-1 : libdatetime-timezone-perl - LTS security update |
VRVDR-60488 | N/A | DLA-3366-1 | Debian DLA-3366-1 : tzdata - LTS security update |
VRVDR-60448 | 9.1 | DLA-3363-1 | CVE-2019-20454, CVE-2022-1586, CVE-2022-1587: Debian DLA-3363-1 : pcre2 - LTS security update |
VRVDR-60447 | N/A | DLA-3355-1 | Debian DLA-3355-1 : xapian-core - LTS security update |
VRVDR-60407 | 8.8 | DLA-3362-1 | CVE-2020-14394, CVE-2020-17380, CVE-2020-29130, CVE-2021-3409, CVE-2021-3592, CVE-2021-3593, CVE-2021-3594, CVE-2021-3595, CVE-2022-0216, CVE-2022-1050: Debian DLA-3362-1 : qemu - LTS security update |
VRVDR-60264 | 5.5 | DLA-3333-1 | CVE-2023-0795, CVE-2023-0796, CVE-2023-0797, CVE-2023-0798, CVE-2023-0799, CVE-2023-0800, CVE-2023-0801, CVE-2023-0802, CVE-2023-0803, CVE-2023-0804 : Debian DLA-3333-1 : tiff - LTS security update |
VRVDR-60263 | 9.1 | DLA-3327-1 | CVE-2020-6829, CVE-2020-12400, CVE-2020-12401, CVE-2020-12403, CVE-2023-0767: Debian DLA-3327-1 : nss - LTS security update |
VRVDR-60237 | 6.5 | DLA-3331-1 | CVE-2023-23931: Debian DLA-3331-1 : pythoncryptography - LTS security update |
VRVDR-60234 | 7.4 | DLA-3325-1 | CVE-2022-2097, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286: Debian DLA-3325-1 : openssl - LTS security update |
VRVDR-60210 | 7.5 | DLA-3323-1 | CVE-2022-4904: Debian DLA-3323-1 : c-ares - LTS security update |
VRVDR-60202 | 5.9 | DLA-3321-1 | CVE-2023-0361: Debian DLA-3321-1 : gnutls28 - LTS security update |
VRVDR-60171 | 7.1 | DLA-3313-1 | CVE-2022-4345, CVE-2023-0411, CVE-2023-0412, CVE-2023-0413, CVE-2023-0415, CVE-2023-0417: Debian DLA-3313-1 : wireshark - LTS security update |
VRVDR-60034 | 8.8 | DLA-3297-1 | CVE-2022-48281: Debian DLA-3297-1 : tiff - LTS security update |
VRVDR-60005 | 9.8 | DLA-3288-1 | CVE-2022-27774, CVE-2022-27782, CVE-2022-32221, CVE-2022-35252, CVE-2022-43552: Debian DLA-3288-1 : curl - LTS security update |
VRVDR-59923 | 7.8 | DLA-3272-1 | CVE-2023-22809: Debian DLA-3272-1 : sudo - LTS security update |
VRVDR-59922 | 8.8 | DLA-3278-1 | CVE-2022-1354, CVE-2022-1355, CVE-2022-2056, CVE-2022-2057, CVE-2022-2058, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-3570, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626, CVE-2022-3627, CVE-2022-3970, CVE-2022-34526: Debian DLA-3278-1 : tiff - LTS security update |
VRVDR-59809 | 9.1 | DLA-3263-1 | CVE-2021-46848: Debian DLA-3263-1 : libtasn1-6 - LTS security update |
VRVDR-59786 | 9.8 | DLA-3152-1 | CVE-2016-10228, CVE-2019-19126, CVE-2019-25013, CVE-2020-1752, CVE-2020-6096, CVE-2020-10029, CVE-2020-27618, CVE-2021-3326, CVE-2021-3999, CVE-2021-27645, CVE-2021-33574, CVE-2021-35942, CVE-2022-23218, CVE-2022-23219: Debian DLA-3152-1 : glibc security updates |
VRVDR-59695 | 9.8 | DLA-3248-1 | CVE-2022-47629: Debian DLA-3248-1 : libksba - LTS security update |
VRVDR-59552 | 7.8 | DLA-3232-1 | CVE-2019-18388, CVE-2019-18389, CVE-2019-18390, CVE-2019-18391, CVE-2020-8002, CVE-2020-8003, CVE-2022-0135: Debian DLA-3232-1 : virglrenderer - LTS security update |
VRVDR-59538 | 6.5 | DLA-3224-1 | CVE-2020-8287: Debian DLA-3224-1 : http-parser - LTS security update |
VRVDR-59492 | 6.4 | DLA-3213-1 | CVE-2022-42898: Debian DLA-3213-1 : krb5 - LTS security update |
VRVDR-59455 | 9.8 | DLA-3204-1 | CVE-2022-0318, CVE-2022-0392, CVE-2022-0629, CVE-2022-0696, CVE-2022-1619, CVE-2022-1621, CVE-2022-1785, CVE-2022-1897, CVE-2022-1942, CVE-2022-2000, CVE-2022-2129, CVE-2022-3235, CVE-2022-3256, CVE-2022-3352: Debian DLA-3204-1 : vim - LTS security update |
VRVDR-59408 | 6.4 | DSA-5280-1 | CVE-2022-2601, CVE-2022-3775: Debian DSA-5280-1 : grub2 - security update |
VRVDR-59407 | 6.4 | DLA-3190-1 | CVE-2022-2601, CVE-2022-3775: Debian DLA-3190-1 : grub2 - LTS security update |
VRVDR-59360 | 9.8 | DLA-3188-1 | CVE-2019-16167, CVE-2019-19725, CVE-2022-39377: Debian DLA-3188-1 : sysstat - LTS security update |
VRVDR-59310 | 8.8 | DLA-3182-1 | CVE-2021-3927, CVE-2021-3928, CVE-2021-3974, CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4192, CVE-2021-4193, CVE-2022-0213, CVE-2022-0261, CVE-2022-0319, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443, CVE-2022-0554, CVE-2022-0572, CVE-2022-0685, CVE-2022-0714, CVE-2022-0729, CVE-2022-0943, CVE-2022-1154, CVE-2022-1616, CVE-2022-1720, CVE-2022-1851, CVE-2022-1898, CVE-2022-1968, CVE-2022-2285, CVE-2022-2304, CVE-2022-2598, CVE-2022-2946, CVE-2022-3099, CVE-2022-3134, CVE-2022-3234, CVE-2022-3324, CVE-2022-3705: Debian DLA-3182-1 : vim - LTS security update |
VRVDR-59260 | 2.5 | DLA-3181-1 | CVE-2021-23239: Debian DLA-3181-1 : sudo - LTS security update |
VRVDR-59259 | 8.8 | DLA-3179-1 | CVE-2022-44638: Debian DLA-3179-1 : pixman - LTS security update |
VRVDR-59150 | 9.8 | DLA-3175-1 | CVE-2022-37454: Debian DLA-3175-1 : python3.7 - LTS security update |
VRVDR-59144 | 8.1 | DLA-3172-1 | CVE-2022-40303, CVE-2022-40304: Debian DLA-3172-1 : libxml2 - LTS security update |
VRVDR-59143 | N/A | DLA-3171-1 | Debian DLA-3171-1 : distro-info-data - LTS database update |
VRVDR-59132 | N/A | DLA-3162-1 | Debian DLA-3162-1 : libdatetime-timezone-perl - LTS security update |
VRVDR-59131 | N/A | DLA-3161-1 | Debian DLA-3161-1 : tzdata - LTS security update |
VRVDR-59130 | 7.1 | DLA-3167-1 | CVE-2022-29458: Debian DLA-3167-1 : ncurses - LTS security update |
VRVDR-59128 | 7.5 | DLA-3165-1 | CVE-2022-43680: Debian DLA-3165-1 : expat - LTS security update |
VRVDR-59070 | 9.1 | DLA-3157-1 | CVE-2019-8921, CVE-2019-8922, CVE-2021-41229, CVE-2021-43400, CVE-2022-0204, CVE-2022-39176, CVE-2022-39177:Debian DLA-3157-1 : bluez - LTS security update |
2012n
Issues Resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-58944 | Major | Failed to change password for local service-user |
VRVDR-58761 | Critical | ixgbe: per queue statistical counters are broken |
VRVDR-58747 | Critical | Latency and packet drop issues with ixgbe (Intel x520 and x540) driver |
VRVDR-58689 | Major | Virtual address mismatch causes syslog flooding |
VRVDR-58668 | Major | mGRE doesn't work with NAT or Firewall binding at local interface of GRE tunnel |
VRVDR-58598 | Minor | Update linux-firmware |
VRVDR-58530 | Major | Incorrect checksum calculation during CGNAT+DNAT lookup for return traffic |
VRVDR-58459 | Major | System static-host-mapping command doesn't work until reboot Vyatta or reset dns |
VRVDR-58217 | Major | OSPF-hello packets don't reach to OSPF daemon without monitor/dumping traffic at ospf interface |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-58948 | 6.5 | DLA-3142-1 | CVE-2022-42010, CVE-2022-42011, CVE-2022-42012: Debian DLA-3142-1 : dbus - LTS security update |
VRVDR-58897 | 7.5 | DLA-3138-1 | CVE-2022-2795, CVE-2022-38177, CVE-2022-38178: Debian DLA-3138-1 : bind9 - LTS security update |
VRVDR-58895 | N/A | DLA-3135-1 | Debian DLA-3135-1 : libdatetime-timezone-perl - LTS security update |
VRVDR-58894 | N/A | DLA-3134-1 | Debian DLA-3134-1 : tzdata - LTS security update |
VRVDR-58893 | 7.5 | DLA-3133-1 | CVE-2022-37797: Debian DLA-3133-1 : lighttpd - LTS security update |
VRVDR-58892 | 6.5 | DLA-3127 | CVE-2022-31081: Debian DLA-3127-1 : libhttpdaemon- perl - LTS security update |
VRVDR-58845 | 9.8 | DLA-3119-1 | CVE-2022-40674: Debian DLA-3119-1 : expat - LTS security update |
VRVDR-58785 | 7.5 | DLA-3110-1 | CVE-2021-3800: Debian DLA-3110-1 : glib2.0 - LTS security update |
VRVDR-58767 | 7.5 | DLA-3114-1 | CVE-2018-25032, CVE-2021-46669, CVE-2022-21427, CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27383, CVE-2022-27384, CVE-2022-27386, CVE-2022-27387, CVE-2022-27445, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27452, CVE-2022-27456, CVE-2022-27458, CVE-2022-32083, CVE-2022-32084, CVE-2022-32085, CVE-2022-32087, CVE-2022-32088, CVE-2022-32091: Debian DLA-3114-1: mariadb-10.3 – LTS security update |
VRVDR-58766 | N/A | DLA-3112-1 | Debian DLA-3112-1 : bzip2 - LTS security update |
VRVDR-58727 | 5.9 | DLA-3104-1 | CVE-2022-24302: Debian DLA-3104-1 : paramiko - LTS security update |
VRVDR-58726 | 9.8 | DLA-3103-1 | CVE-2022-37434: Debian DLA-3103-1 : zlib - LTS security update |
VRVDR-58694 | 8.8 | DLA-3101-1 | CVE-2019-5815, CVE-2021-30560: Debian DLA-3101-1 : libxslt - LTS security update |
VRVDR-58674 | 8.8 | DLA-3099-1 | CVE-2020-13253, CVE-2020-15469, CVE-2020-15859, CVE-2020-25084, CVE-2020-25085, CVE-2020-25624, CVE-2020-25625, CVE-2020-25723, CVE-2020-27617, CVE-2020-27821, CVE-2020-28916, CVE-2020-29129, CVE-2020-29443, CVE-2020-35504, CVE-2020-35505, CVE-2021-3392, CVE-2021-3416, CVE-2021-3507, CVE-2021-3527, CVE-2021-3582, CVE-2021-3607, CVE-2021-3608, CVE-2021-3682, CVE-2021-3713, CVE-2021-3748, CVE-2021-3930, CVE-2021-4206, CVE-2021-4207, CVE-2021-20181, CVE-2021-20196, CVE-2021-20203, CVE-2021-20221, CVE-2021-20257, CVE-2022-26354, CVE-2022-35414: Debian DLA-3099-1: qemu – LTS security update |
VRVDR-58643 | 7.8 | DLA-3081-1 | CVE-2022-31676: Debian DLA-3081-1 : open-vmtools - LTS security update |
VRVDR-58624 | 8.1 | DLA-3085-1 | CVE-2021-22898, CVE-2021-22924, CVE-2021-22946, CVE-2021-22947, CVE-2022-22576, CVE-2022-27776, CVE-2022-27781, CVE-2022-27782, CVE-2022-32206, CVE-2022-32208: Debian DLA-3085-1 : curl - LTS security update |
VRVDR-58604 | 6.5 | N/A | CVE-2022-2132, CVE-2022-28199: DPDK security update |
VRVDR-58536 | 7.5 | DLA-3071-1 | CVE-2021-46828: Debian DLA-3071-1 : libtirpc - LTS security update |
VRVDR-58535 | 7.5 | DLA-3070-1 | CVE-2021-4209, CVE-2022-2509: Debian DLA-3070-1 : gnutls28 - LTS security update |
2012m
Issues Resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-58440 | Major | Memory leak and high cpu usage by vyatta-entity-mibs-subagent, memory leak by vyatta-snmp-subagent |
VRVDR-58228 | Major | Incorrect Session table-size after reboot |
VRVDR-58179 | Major | Error message 'npf_pack nat session restore failed' on VRRP backup |
VRVDR-58119 | Major | IPsec RAVPN: X509 authentication fails, presumably due to missing fragmentation support |
VRVDR-58113 | Major | VRRP Groups in a sync-group fail to send a second set of GARPs on transition to master state |
VRVDR-56721 | Blocker | Dataplane core on save on commit test |
VRVDR-55774 | Critical | Setup of IKE secrets failed: Decryption of private key file [key-path] failed: Unknown PEM block type: EC PRIVATE KEY |
VRVDR-55663 | Major | IPsec VCI: crash in internal/conn.SyncAllConns |
VRVDR-55624 | Critical | IPSec RA server and client not working after upgrade to 2009 or later |
VRVDR-55367 | Critical | BMC Health check is very noisy in the system logs, with 5 entries every minute, in a passing state |
VRVDR-55367 | Critical | BMC Health check is very noisy in the system logs, with 5 entries every minute, in a passing state |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-58293 | 7.8 | DSA-5173-1 | CVE-2021-4197, CVE-2022-0494, CVE-2022-0812, CVE-2022-0854, CVE-2022-1011, CVE-2022-1012, CVE-2022-1016, CVE-2022-1048, CVE-2022-1184,CVE-2022-1195, CVE-2022-1198, CVE-2022-1199, CVE-2022-1204, CVE-2022-1205, CVE-2022-1353, CVE-2022-1419, CVE-2022-1516, CVE-2022-1652, CVE-2022-1729, CVE-2022-1734, CVE-2022-1974, CVE-2022-1975, CVE-2022-2153, CVE-2022-21123, CVE-2022-21125, CVE-2022-21166, CVE-2022-23960, CVE-2022-26490, CVE-2022-27666, CVE-2022-28356, CVE-2022-28388, CVE-2022-28389, CVE-2022-28390, CVE-2022-29581, CVE-2022-30594, CVE-2022-32250, CVE-2022-32296, CVE-2022-33981: Debian DSA-5173-1: linux – security update |
VRVDR-58292 | 6.5 | DSA-5174-1 | CVE-2022-34903: Debian DSA-5174-1 : gnupg2 - security update |
VRVDR-58254 | 9.8 | DSA-5169-1 | CVE-2022-2068: Debian DSA-5169-1 : openssl - security update |
VRVDR-58185 | 7.8 | DSA-5161-1 | CVE-2022-0494, CVE-2022-0854, CVE-2022-1012, CVE-2022-1729, CVE-2022-1786, CVE-2022-1789, CVE-2022-1852, CVE-2022-32250, CVE-2022-1972, CVE-2022-1974, CVE-2022-1975, CVE-2022-21499, CVE-2022-28893: Debian DSA-5161-1: linux – security update |
VRVDR-58081 | 8.1 | DSA-5150-1 | CVE-2022-24903: Debian DSA-5150-1: rsyslog – security update |
2012k
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-58161 | Blocker | QinQ: The cli prompt does not return after deleting the vif config from the dataplane interface |
VRVDR-57849 | Major | vyatta-vrrp crashes on boot if vrrp group is disabled |
VRVDR-57814 | Major | Crash of IKE control-plane during shutdown or VRRP backuptransition |
VRVDR-57797 | Major | IPsec: Crypto device limit causing tunnel setup failure |
VRVDR-57778 | Major | Vyatta configuration lost after reboot with 'vrrp vrrp-group <x> hellosource-address <x.x.x.x> command |
VRVDR-57760 | Minor | SYN-SENT no longer displayed in journal/logs up on upgrade from 1801zf to 1912q |
VRVDR-57467 | Critical | Banner with newline prevents loading configuration after upgrade from 1903j to 1908n |
VRVDR-57146 | Critical | QinQ: The config prompt does not return after deleting the vif from the dataplane interface. Hence QinQ scripts are failing |
VRVDR-56916 | Critical | Installer errors and fails to install image on upgrade of Flexware box from 1903 |
VRVDR-56702 | Critical | add system image for Kington fails when base image is 1912p, works fine from 1903m base |
VRVDR-56336 | Blocker | Power-cycling or reboot hardware intermittently results in disk boot corruption so that SIAD is a grub prompt unable to boot |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-58044 | 9.1 | DSA-5147-1 | CVE-2022-1664: Debian DSA-5147-1 : dpkg - security update |
VRVDR-58014 | 6.5 | DSA-5142-1 | CVE-2022-29824: Debian DSA-5142-1 : libxml2 - security update |
VRVDR-57991 | 9.8 | DSA-5140-1 | CVE-2022-29155: Debian DSA-5140-1 : openldap - security update |
VRVDR-57926 | 9.8 | DSA-5139-1 | CVE-2022-1292: Debian DSA-5139-1 : openssl - security update |
VRVDR-57734 | 9.8 | DSA-5130-1 | CVE-2021-3839, CVE-2022-0669: Debian DSA-5130-1 : dpdk - security update |
VRVDR-57692 | 7.8 | DSA-5127-1 | CVE-2021-4197, CVE-2022-0168, CVE-2022-1016, CVE-2022-1048, CVE-2022-1158, CVE-2022-1195, CVE-2022-1198, CVE-2022-1199, CVE-2022-1204, CVE-2022-1205, CVE-2022-1353, CVE-2022-1516, CVE-2022-26490, CVE-2022-27666, CVE-2022-28356, CVE-2022-28388, CVE-2022-28389, CVE-2022-28390, CVE-2022-29582: Debian DSA-5127-1: linux – security update |
VRVDR-57189 | 7.8 | DSA-5095-1 | CVE-2020-36310, CVE-2022-0001, CVE-2022-0002, CVE-2022-0487, CVE-2022-0492, CVE-2022-0617, CVE-2022-25636: Debian DSA-5095-1: linux – security update |
VRVDR-57161 | 8.8 | DSA-5092-1 | CVE-2021-43976, CVE-2022-0330, CVE-2022-0435, CVE-2022-0516, CVE-2022-0847, CVE-2022-22942, CVE-2022-24448, CVE-2022-24959, CVE-2022-25258, CVE-2022-25375: Debian DSA-5092-1: linux – security update |
2012j
Issues Resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-56337 | Major | DHCP assignment is not happening after reboot |
VRVDR-42512 | Major | When telnet is used to login remotely, login reports "Welcome to \S{NAME}" |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-57493 | 7.5 | DSA-5123-1 | CVE-2022-1271: Debian DSA-5123-1 : xz-utils - security update |
2012h
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-57307 | Critical | Attempting NAT on an ICMP other than echo request/reply causes dataplane crash |
VRVDR-56672 | Critical | NAT SIP ALG misinterprets SDP part of packet payload header causing dataplane crash |
VRVDR-56576 | Critical | Dataplane crash while capturing traffic |
VRVDR-56560 | Minor | GNSS: use UBX-NAV-SAT to get visible satellites |
VRVDR-56533 | Major | VRRPv3 sync group o/p shows incorrect state |
VRVDR-56119 | Critical | PTP: Intermittently "show gnss" does not return |
VRVDR-47554 | Major | Validate GREtunnel transport local-ip |
Security vulnerabilities resolved
| Issue Number | CVSS score | Advisorejbdccuugndihrtnjfkfcjjinkvlitrgtbljjedtjbnv y | Summary | | --- | --- | --- | --- | | VRVDR-57353 | 7.5 | DLA-2935-1 | CVE-2018-25032: Debian DSA-5111-1 : zlib -security update | | VRVDR-57317 | 7.1 | DSA-5108-1 | CVE-2022-0561, CVE-2022-0562, CVE-2022-0865, CVE-2022-0891, CVE-2022-0907, CVE-2022-0908, CVE-2022-0909, CVE-2022-0924, CVE-2022-22844: Debian DSA-5108-1 : tiff -security update | | VRVDR-57273 | 7.5 | DSA-5105-1 | CVE-2021-25220, CVE-2022-0396: Debian DSA-5105-1 : bind9 -security update | | VRVDR-57243 | 7.5 | DSA-5103-1 | CVE-2021-4160, CVE-2022-0778: Debian DSA-5103-1: openssl security update | | VRVDR-57102 | 8.8 | DSA-5087-1 | CVE-2022-24407: Debian DSA-5087-1 :cyrus-sasl2 -security update | | VRVDR-57078 | 9.8 | DSA-5085-1 | CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315: Debian DSA-5085-1 : expat -security update | | VRVDR-56960 | 7.5 | DSA-5066-1 | CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066, CVE-2021-41817, CVE-2021-41819: Debian DSA-5066-1 : ruby2.5 -security update | | VRVDR-56918 | 5.5 | DSA-5063-1 | CVE-2021-46141, CVE-2021-46142: Debian DSA-5063-1 : uriparser -security update | | VRVDR-56917 | 7.5 | DSA-5062-1 | CVE-2022-22747: Debian DSA-5062-1 : nss -security update | | VRVDR-56903 | 9.1 | DSA-5056-1 | CVE-2021-45079: Debian DSA-5056-1: strongswan security update | | VRVDR-56843 | 7.1 | DSA-5043-1 | CVE-2021-43818: Debian DSA-5043-1 : lxml -security update | | VRVDR-56831 | 5.9 | DSA-5040-1 | CVE-2022-22707: Debian DSA-5040-1 : lighttpd -security update | | VRVDR-56706 | 7.5 | DSA-5019-1 | CVE-2021-22207, CVE-2021-22222, CVE-2021-22235, CVE-2021-39920, CVE-2021-39921, CVE-2021-39922, CVE-2021-39923, CVE-2021-39924, CVE-2021-39925, CVE-2021-39926, CVE-2021-39928, CVE-2021-39929: Debian DSA-5019-1: wireshark –security update | | VRVDR-56656 | 9.8 | DSA-5016-1 | CVE-2021-43527: Debian DSA-5016-1 : nss-security update | | VRVDR-56624 | 5.5 | DSA-5014-1 | CVE-2020-21913: Debian DSA-5014-1 : icu -security update |
2012g
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-56909 | 7.8 | N/A | CVE-2021-4034: policykit-1 security update |
1912u
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-56932 | Critical | L2TPtunnels fail to establish after the upgrade from 1801zb to 1912r |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-57185 | 9.8 | DLA-2935-1 | CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25315: Debian DLA-2935-1 : expat -LTS security update |
VRVDR-57184 | 5.5 | DLA-2932-1 | CVE-2022-0561, CVE-2022-0562, CVE-2022-22844: Debian DLA-2932-1 : tiff -LTS security update |
VRVDR-57183 | 8.8 | DLA-2931-1 | CVE-2022-24407: Debian DLA-2931-1 : cyrus-sasl2 -LTS security update |
VRVDR-57003 | 9.8 | DLA-2919-1 | CVE-2021-3177, CVE-2021-4189: Debian DLA-2919-1 : python2.7 -LTS security update |
VRVDR-56955 | 7.5 | DLA-2898-1 | CVE-2022-22747: Debian DLA-2898-1 : nss-LTS security update |
VRVDR-56954 | 9.8 | DLA-2904-1 | CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-23990: Debian DLA-2904-1 : expat -LTS security update |
VRVDR-56903 | 9.1 | DSA-5056-1 | CVE-2021-45079: Debian DSA-5056-1: strongswan–security update |
1912t
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-56909 | 7.8 | N/A | CVE-2021-4034: policykit-1 security update |
1912s
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-56188 | Critical | bgpd dumps core in as_list_apply() |
VRVDR-56672 | Critical | SNAT SIP ALG misinterprets SDP part of packet payload header causing dataplane crash |
VRVDR-56576 | Critical | Dataplane crash while capturing traffic |
VRVDR-56131 | Blocker | ping/ssh from remote server to device connected to s9500 SIAD fails, but reachable locally |
VRVDR-47554 | Major | Validate GRE tunnel transport local-ip |
Security vulnerabilities resolved
| Issue Number | CVSS score | Advisory | Summary | | --- | --- | --- | --- |e | VRVDR-56769 | 8.1 | DLA-jb2848-1 | CVE-2019-13115, CVE-2019-17498 :Debian DLA-2848-1 : libssh2 - LTS security update | | VRVDR-56689 | 9.8 | DLA-28dc36-1 | CVE-2021-43527: Debian DLA-2836-1 : nss - LTS security update | | VRVDR-56680 | 7.5 | DLA-2837cuu-1 | CVE-2021-43618: DLA-2837-1 : gmp - LTS security update | | VRVDR-56665 | 9.8 | DLA-2834-1 gndifhkujkjhheihijtdcivubhignnkceniv | CVE-2018-20721: Debian DLA-2834-1 : uriparser - LTS security update | | VRVDR-56664 | 7.5 | DLA-2833-1 | CVE-2018-5764: Debian DLA-2833-1 : rsync - LTS security update | | VRVDR-56647 | 8.8 | DLA-2827-1 | CVE-2019-8921, CVE-2019-8922, CVE-2021-41229: Debian DLA-2827-1 : bluez - LTS security update | | VRVDR-56645 | 8.8 | DLA-2828-1 | CVE-2017-14160, CVE-2018-10392, CVE-2018-10393: Debian DLA-2828-1 : libvorbis - LTS security update | | VRVDR-56644 | 4.7 | DLA-2830-1 | CVE-2018-20482: Debian DLA-2830-1 : tar - LTS security update | | VRVDR-56511 | N/A | DLA-2808-1 | CVE-2021-3733, CVE-2021-3737: Debian DLA-2808-1 : python3.5 - LTS security update | | VRVDR-56503 | 7.5 | DLA-2807-1 | CVE-2018-5740, CVE-2021-25219: Debian DLA-2807-1 : bind9 - LTS security update | | VRVDR-56497 | 5.5 | DLA-2805-1 | CVE-2019-1010305: Debian DLA-2805-1 : libmspack - LTS security update | | VRVDR-56496 | 8.8 | DLA-2804-1 | CVE-2019-7572, CVE-2019-7573, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638, CVE-2019-13616:Debian DLA-2804-1 : libsdl1.2 - LTS security update | | VRVDR-56495 | 6.7 | DLA-2801-1 | CVE-2017-9525, CVE-2019-9704, CVE-2019-9705, CVE-2019-9706:Debian DLA-2801-1 : cron - LTS security update | | VRVDR-56493 | 9.8 | DLA-2802-1 | CVE-2018-16062, CVE-2018-16402, CVE-2018-18310, CVE-2018-18520, CVE-2018-18521, CVE-2019-7150, CVE-2019-7665:Debian DLA-2802-1 :elfutils - LTS security update | | VRVDR-56459 | N/A | DLA-2798-1 | Debian DLA-2798-1 : libdatetime-timezone-perl - LTS security update | | VRVDR-56458 | N/A | DLA-2797-1 | Debian DLA-2797-1 : tzdata - LTS security update | | VRVDR-56315 | 7.5 | DLA-2788-1 | CVE-2021-41991: Debian DLA-2788-1: A denial-ofservice vulnerability in the in-memory certificate |
1912r
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-56188 | Critical | bgpd dumps core in as_list_apply() |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDugnR-56321 | 7.5 | DLA-2786-1 | CVE-2018-1000168, CVE-2020-11080: Debian DLA-2786-1 : nghttp2 - LTS security update |
VRVDR-5di6308 | 7.4 | DLA-2780-1 | CVE-2021-31799, CVE-2021-31810, CVE-2021-32066: Debian DLA-2780-1 : ruby2.3 - LTS security update |
VRVDR-562bu95 | 5.5 | DLA-2784-1 | CVE-2020-21913: Debian DLA-2784-1 : icu - LTS security update |
VRVDR-56230bu | 7.5 | DLA-2777-1 | CVE-2020-19131, CVE-2020-19144: Debian DLA-2777-1 : tiff - LTS security update |
VRVDR-56229 | hl 7.4 | DLA-2774-1 | CVE-2021-3712: Debian DLA-2774-1 : openssl1.0 - LTS security update |
VRVDR-56228 | 7ir.5 | DLA-2773-1 | CVE-2021-22946, CVE-2021-22947: Debian DLA-2773-1 : curl - LTS security update |
VRVDR-56221 | 6.5vk | DLA-2771-1 | CVE-2018-5729, CVE-2018-5730, CVE-2018-20217, CVE-2021-37750: Debian DLA-2771-1 : krb5 - LTS security update |
VRVDR-56210 | 7.4 | hc DLA-2766-1 | CVE-2021-3712: Debian DLA-2766-1 : openssl - LTS security update |
bb1912q
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-55753 | Major | Multicast: eliminate or hide FAL counter logs |
VRVDR-55749 | Major | Swapped in SFP doesn't pick up configured MTU |
VRVDR-55569 | Major | MRIBv6 FIB: Peek error Resource temporarily unavailable |
VRVDR-55011 | Major | Can't log into a SIAD with read-only SSD |
VRVDR-54591 | Blocker | TACACS authentications fails when TACACS accounting has a large backlog |
VRVDR-53135 | Major | "protocols multicast ip log-warning" doesn't log any warnings |
VRVDR-53114 | Major | TACACS+ session accounting may still use hostname instead of IP address |
VRVDR-53099 | Major | TACACS+ starts only when service is restarted manually |
VRVDR-53085 | Major | Multicast IPv4 and IPv6 is mutually exclusive on SIAD |
VRVDR-52997 | Major | tacplusd get_tty_login_addr() may overflow buffer |
VRVDR-52912 | Critical | service-user creation fails due to moved SSSD databases |
VRVDR-52855 | Critical | Creating service users fails |
VRVDR-52842 | Major | sssd pipes should not be shared with user sandboxes |
VRVDR-52730 | Major | sssd should not run as root |
VRVDR-52671 | Critical | sssd_nss crashes on startup if filesystem containing in-memory cache backing files is full |
VRVDR-52241 | Major | TACACS: Sanity Test Command Authorisation fails due to Tacacs+ DBus Daemon restart |
VRVDR-52120 | Major | Hostname may be sent instead of IP address in TACACS+ accounting requests |
VRVDR-52091 | Major | tacplusd should not run as root |
VRVDR-51809 | Major | TACACS+ session accounting: task_id in stop record differs from task_id in start record |
VRVDR-51580 | Critical | Command Accounting: Start record support |
VRVDR-50803 | Major | tacplusd logs are very chatty by default |
VRVDR-50552 | Major | 'TACACS daemon is not running' even with all TACACS config |
VRVDR-50310 | Major | SIAD multicast traffic counted on output interface |
VRVDR-50036 | Major | Add TACACS+/SSSD information to tech support output |
VRVDR-42098 | Major | TACACS+ Server Connection Timeout |
VRVDR-42094 | Minor | TACACS+ Server Enable / Disable |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-55979 | N/A | DLA-2738-1 | CVE-2021-3672: Debian DLA-2738-1 : c-ares - LTS security update |
VRVDR-55951 | 6.5 | DLA-2735-1 | CVE-2018-14662, CVE-2018-16846, CVE-2020-1760, CVE-2020-10753, CVE-2021-3524: Debian DLA-2735-1: ceph – LTS security update |
VRVDR-55948 | 7.4 | DLA-2734-1 | CVE-2021-22898, CVE-2021-22924: Debian DLA-2734-1: curl – LTS security update |
VRVDR-55792 | 5.5 | DLA-2715-1 | CVE-2021-33910: Debian DLA-2715-1: systemd - LTS security update |
VRVDR-55761 | 7.8 | DSA-4941-1 | CVE-2020-36311, CVE-2021-3609, CVE-2021-33909, CVE-2021-34693: Debian DSA-4941-1: linux security update |
VRVDR-55648 | N/A | DLA-2703-1 | Debian DLA-2703-1 : ieee-data - LTS security update |
VRVDR-55538 | 7.8 | DLA-2690-1 | CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-26139, CVE-2020-26147, CVE-2020-26558, CVE-2020-29374, CVE-2021-0129, CVE-2021-3483, CVE-2021-3506, CVE-2021-3564, CVE-2021-3573, CVE-2021-3587, CVE-2021-23133, CVE-2021-23134, CVE-2021-28688, CVE-2021-28964, CVE-2021-28971, CVE-2021-29154,CVE-2021-29155, CVE-2021-29264, CVE-2021-29647, CVE-2021-29650, CVE-2021-31829, CVE-2021-31916, CVE-2021-32399, CVE-2021-33034:Debian DLA-2690-1: linux LTS security update |
1912p
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-55160 | Blocker | dataplane: srvAdaptiveFrequencyReferenceTracker.c:91: getStraightenedLocalTimestampsAdaptiveFrequency: Assertion '((direction == E_srvUpLinkDirection) || (direction == E_srvDownLinkDirection))' failed |
VRVDR-54128 | Critical | PDV syslogs are observed in huge number |
VRVDR-53790 | Critical | Crash in mngPtpSessionStop |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-55602 | 8.8 | DSL-2699-1 | CVE-2020-5208: Debian DLA-2699-1 : ipmitool - LTS security update |
VRVDR-55600 | 9.8 | DLA-2695-1 | CVE-2021-31870, CVE-2021-31871, CVE-2021-31872, CVE-2021-31873: Debian DLA-2695-1 : klibc - LTS security update |
VRVDR-55556 | 7.8 | DLA-2694-1 | CVE-2020-35523, CVE-2020-35524: Debian DLA-2694-1 : tiff security update |
VRVDR-55555 | 5.7 | DLA-2692-1 | CVE-2020-26558, CVE-2021-0129: Debian DLA-2692-1 : bluez security update |
VRVDR-55537 | 7.5 | DLA-2691-1 | CVE-2021-33560: Debian DLA-2691-1 : libgcrypt |
VRVDR-55273 | 6.5 | DLA-2669-1 | CVE-2021-3541: Debian DLA-2669-1 : libxml2 security update |
VRVDR-55219 | 6.3 | DLA-2623-1 | CVE-2020-17380, CVE-2021-20203, CVE-2021-20255, CVE-2021-20257, CVE-2021-3392, CVE-2021-3409, CVE-2021-3416:Debian DLA-2623-1 : qemu security update |
VRVDR-55218 | 9.8 | DLA-2666-1 | CVE-2021-31535: Debian DLA-2666-1 : libx11 security update |
VRVDR-55127 | 5.3 | DLA-2664-1 | CVE-2021-22876: Debian DLA-2664-1 : curl security update |
VRVDR-55071 | 8.8 | DLA-2653-1 | CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537: Debian DLA-2653-1 : libxml2 security update |
VRVDR-55024 | 9.8 | DLA-2647-1 | CVE-2021-25214, CVE-2021-25215, CVE-2021-25216: Debian DLA-2647-1 : bind9 security update |
VRVDR-54850 | 7.8 | DLA-2610-1 | Debian DLA-2610-1 : linux-4.19 security update |
1912n
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-54900 | Major | Constant attempts to revive old duplicate CHILD_SA are causing rekey flood and occasional traffic drop. |
VRVDR-54765 | Major | ALG session may cause dataplane crash when cleared |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-54926 | 6.1 | DLA-2628-1 | CVE-2019-16935, CVE-2021-23336: Debian DLA-2628-1 : python2.7 security update |
VRVDR-54858 | 9.8 | DLA-2619-1 | CVE-2021-23336, CVE-2021-3177, CVE-2021-3426:Debian DLA-2619-1 : python3.5 security update |
VRVDR-54849 | 7.5 | DLA-2614-1 | CVE-2021-28831: Debian DLA-2614-1 : busybox security update |
VRVDR-54848 | N/A | DLA-2611-1 | CVE-2020-27840, CVE-2021-20277: Debian DLA-2611-1 : ldb security update |
VRVDR-54712 | 8.1 | DLA-2588-1 | CVE-2021-20234, CVE-2021-20235: Debian DLA-2588-1 : zeromq3 security update |
1912m
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-54586 | Major | Dataplane crash in connection sync on closing tcp session |
VRVDR-53889 | Major | BFD mbuf leak when deployed in a VNF using PCI-Passthrough on ixgbe |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-54801 | 7.2 | DLA-2605-1 | CVE-2021-27928: Debian DLA-2605-1 : mariadb-10.1 security update |
VRVDR-54788 | 8.1 | DLA-2604-1 | CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25687: Debian DLA-2604-1 : dnsmasq security update |
VRVDR-54770 | 9.8 | DLA-2596-1 | CVE-2017-12424, CVE-2017-20002: Debian DLA-2596-1 : shadow security update |
VRVDR-54563 | 7.5 | DLA-2574-1 | CVE-2021-27212: Debian DLA-2574-1 : openldap security update |
VRVDR-54562 | 9.8 | DLA-2570-1 | CVE-2021-26937: Debian DLA-2570-1: screen security update |
VRVDR-54531 | 8.1 | DLA-2568-1 | CVE-2020-8625: Debian DLA-2568-1 : bind9 security update |
1912k
Issues Resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-54360 | Major | Operator level user cannot execute 'show firewall ...' commands |
VRVDR-54272 | Critical | tech-support archive generated uncompressed breaking user expectations |
VRVDR-54238 | Major | Dataplane crash in map_rcu_freeon system shutdown |
VRVDR-54225 | Minor | VFPinterface does not pick up IP Address from donor loopback interface |
VRVDR-54160 | Major | LACP with VIF -Slaves not selected in 'lacp' & 'balanced' modes |
VRVDR-54144 | Blocker | Marvell FALplugin should drop backplane packets with RX Errors |
VRVDR-54119 | Critical | Repeated PTP tunnel failures due to busy state |
VRVDR-54027 | Major | Migrating loopback to self GRE tun50 configuration to newer code versions |
VRVDR-51846 | Critical | RIB table not updated correctly for OSPFv3 routes after flapping the primary path by making dataplane/switch interface link failure/recovery |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-54536 | 9.1 | DLA-2566-1 | CVE-2019-20367: Debian DLA-2566-1 : libbsd security update |
VRVDR-54535 | N/A | DLA-2565-1 | CVE-2021-23840, CVE-2021-23841:Debian DLA-2565-1 : openssl1.0 security update |
VRVDR-54534 | N/A | DLA-2563-1 | CVE-2021-23840, CVE-2021-23841: Debian DLA-2563-1 : openssl security update |
VRVDR-54499 | 8.8 | DLA-2557-1 | CVE-2020-27815, CVE-2020-27825, CVE-2020-27830, CVE-2020-28374, CVE-2020-29568, CVE-2020-29569, CVE-2020-29660, CVE-2020-29661, CVE-2020-36158, CVE-2021-20177, CVE-2021-3347: Debian DLA-2557-1 : linux-4.19 security update |
VRVDR-54445 | 7.8 | DLA-2549-1 | CVE-2020-0256, CVE-2021-0308: Debian DLA-2549-1 : gdisk security update |
VRVDR-54436 | 7.5 | DLA-2547-1 | CVE-2019-13619, CVE-2019-16319, CVE-2019-19553, CVE-2020-7045, CVE-2020-9428, CVE-2020-9430, CVE-2020-9431, CVE-2020-11647, CVE-2020-13164, CVE-2020-15466, CVE-2020-25862, CVE-2020-25863, CVE-2020-26418, CVE-2020-26421, CVE-2020-26575, CVE-2020-28030: Debian DLA-2547-1: wireshark security update |
VRVDR-54400 | 7.5 | DLA-2544-1 | CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230 :Debian DLA-2544-1 : openldapsecurity update |
VRVDR-54399 | N/A | DLA-2543-1 | Debian DLA-2543-1 : libdatetime-timezone-perl new upstream version |
VRVDR-54398 | N/A | DLA-2542-1 | Debian DLA-2542-1 : tzdata new upstream version |
VRVDR-54337 | 6.5 | DLA-2538-1 | CVE-2020-14765, CVE-2020-14812: Debian DLA-2538-1 : mariadb-10.1 security update |
VRVDR-54287 | 7.8 | DLA-2534-1 | CVE-2021-3156: Debian DLA-2534-1 : sudo security update |
1912j
Issues Resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-54142 | Critical | Inconsistent VRRP interface status upon reboot |
VRVDR-54047 | Critical | On i40e driver when bond is disabled the link-state of member interfaces is u/D when configured but u/u after a reboot |
VRVDR-53964 | Major | User-isolation feature is not present in licensed 'B' images |
VRVDR-53962 | Critical | Reboot D2MSN backup connection created systemd-coredump with BGP authentication enabled |
VRVDR-53928 | Major | Jumbo Frame MTU setting on Intel IGB interface causes link to go down |
VRVDR-53854 | Major | Interfaces went down / panic: runtime error: slice bounds out of range |
VRVDR-53368 | Minor | Alpha-numeric common pattern with preceding '0' in resources group <name> causes out of order list on config-sync slave |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-54046 | 7.5 | DLA-2513-1 | CVE-2020-29361, CVE-2020-29362: Debian DLA-2513-1 : p11-kit security update |
VRVDR-54039 | 7.5 | DLA-2116-1 | CVE-2015-9542: Debian DLA 2116-1:libpam-radius-auth security update |
VRVDR-53970 | N/A | DLA-2510-1 | Debian DLA-2510-1 : libdatetime-timezone-perl new upstream release |
VRVDR-53969 | N/A | DLA-2509-1 | Debian DLA-2509-1 : tzdata new upstream version |
VRVDR-53968 | 7.5 | DLA-2500-1 | CVE-2020-8284, CVE-2020-8285, CVE-2020-8286: Debian DLA-2500-1 : curl security update |
VRVDR-53967 | 8.1 | DLA-2498-1 | CVE-2018-1311: Debian DLA-2498-1 : xerces-c security update |
VRVDR-53966 | N/A | DLA-2488-2 | Debian DLA-2488-2 : python-apt regression update |
VRVDR-53965 | 6.1 | DLA-2467-2 | CVE-2020-27783: Debian DLA-2467-2 : lxml regression update |
VRVDR-53861 | 8.2 | DLA-2483-1 | CVE-2019-19039, CVE-2019-19377, CVE-2019-19770, CVE-2019-19816, CVE-2020-0423, CVE-2020-8694, CVE-2020-14351, CVE-2020-25656, CVE-2020-25668, CVE-2020-25669, CVE-2020-25704, CVE-2020-25705, CVE-2020-27673, CVE-2020-27675, CVE-2020-28941, CVE-2020-28974: Debian DLA-2483-1: linux-4.19 security update |
1912h
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-53699 | Blocker | PTP implementation noms all the PTP packets. Even though not destined for it. |
VRVDR-53596 | Critical | config-sync is not operational when the configuration contains quotes |
VRVDR-53570 | Critical | Storm control policy may have non-zero packet counts on being applied |
VRVDR-53515 | Critical | PTP remains in acquiring state long enough to trigger an alarm |
VRVDR-53373 | Critical | When bond is disabled the link-state of member interfaces is u/D when configured but u/u after a reboot |
VRVDR-53367 | Minor | config-sync does not work if a modified candidate config exists on peer |
VRVDR-53324 | Blocker | ADI XS uCPE: InDiscards seen in the switch backplane at 1G |
VRVDR-53083 | Critical | Coredumpobserved at in.telnetd |
VRVDR-52877 | Blocker | ADI QoS Performance Issue with specific packet sizes |
VRVDR-52074 | Major | Mark maps using DSCP resource groups don't pick up resource group changes |
VRVDR-51940 | Blocker | Changing DSCP Values Causes BFD Instability Which Requires Reboot |
VRVDR-51529 | Critical | Config Sync fails displaying 'vyatta-interfaces-v1:interfaces' when firewall action configured |
VRVDR-43453 | Minor | show l2tpeth/ show l2tpeth <interface> returns "Use of uninitialized value in printf at /opt/vyatta/bin/vplane-l2tpeth-show.pl line 41" with the output |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-53860 | 7.5 | DLA-2340-2 | CVE-2019-20218: Debian DLA-2340-2 : sqlite3 regression update |
VRVDR-53859 | 2.8 | DLA-2488-1 | CVE-2020-27351: Debian DLA-2488-1 : python-apt security update |
VRVDR-53858 | 5.7 | DLA-2487-1 | CVE-2020-27350: Debian DLA-2487-1 : apt security update |
VRVDR-53824 | N/A | DLA-2481-1 | CVE-2020-25709, CVE-2020-25710: Debian DLA-2481-1: openldap security update |
VRVDR-53769 | 6.1 | DLA-2467-1 | CVE-2018-19787, CVE-2020-27783: Debian DLA-2467-1 : lxml security update |
VRVDR-53688 | 7.5 | DLA-2456-1 | CVE-2019-20907, CVE-2020-26116: Debian DLA-2456-1 : python3.5 security update |
VRVDR-53626 | 6.5 | DLA-2445-1 | CVE-2020-28241: Debian DLA-2445-1 : libmaxminddb security update |
VRVDR-53625 | 7.5 | DLA-2444-1 | CVE-2020-8037: Debian DLA-2444-1 : tcpdump security update |
VRVDR-53624 | 7.5 | DLA-2443-1 | CVE-2020-15166: Debian DLA-2443-1 : zeromq3 security update |
VRVDR-53526 | 7.5 | DLA-2423-1 | CVE-2019-10894, CVE-2019-10895, CVE-2019-10896, CVE-2019-10899, CVE-2019-10901, CVE-2019-10903, CVE-2019-12295: Debian DLA-2423-1 : wireshark security update |
VRVDR-53525 | N/A | DLA-2425-1 | Debian DLA-2425-1 : openldap security update |
VRVDR-53524 | N/A | DLA-2424-1 | Debian DLA-2424-1 : tzdata new upstream version |
VRVDR-53448 | N/A | DLA-2409-1 | CVE-2020-15180: Debian DLA-2409-1 : mariadb-10.1 security update |
1912g
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-53517 | Critical | PTP de-referencing bad interface pointer |
VRVDR-53459 | Critical | ATT-VROUTER-PTP-MIB::attVrouterPtpServoFailure no longer sent |
VRVDR-53429 | Blocker | Up-rev Ufi hwdiag to 3.1.11 |
VRVDR-53385 | Blocker | Repeat PTP servo failure messages |
VRVDR-53372 | Critical | Dataplane crash in ptp_peer_resolver_cb |
VRVDR-53317 | Critical | PTP: port packet counters ignore signalling messages |
VRVDR-53305 | Blocker | Incoming PTP traffic is not being trapped to the PTP firmware |
VRVDR-53302 | Critical | Boundary Clock lost sync and is unable to re-acquire lock |
VRVDR-53014 | Critical | commit-confirm not working via vcli scripts |
VRVDR-52995 | Critical | Grub update during image upgrade is broken |
VRVDR-52879 | Blocker | PTP: Unable to peer with master when route to GM fails over to backup vlan |
VRVDR-52877 | Blocker | ADI QoS Performance Issue with specific packet sizes |
VRVDR-52825 | Minor | Configuring three sub-levels of time-zone is not possible, causing upgrade from earlier version to fail |
VRVDR-52739 | Major | Port value in tunnel policy without specifying protocol causes error "protocol must be formatted as well-known string." for IPsec 'show' commands |
VRVDR-52677 | Major | When multiple peers use the same local-address, no authentication ids, and unique pre-shared-keys IKEv2 based IPsec stuck in 'init' for all but one peer |
VRVDR-52668 | Major | Configuration fails to load after upgrade from 1801ze to 1912e when firewall rule with port range 0-65535 statement is present |
VRVDR-52611 | Major | i40e driver silently drops multicast packets causing VRRP dual master |
VRVDR-52425 | Major | TACACS+ command authorization/accounting bypass via NETCONF |
VRVDR-52424 | Major | NETCONF edit-config applies changes with "none" default-operation, and no specified operation |
VRVDR-52410 | Critical | IPsec: SNMP trap no longer sent when IPsec tunnel goes up or down |
VRVDR-52404 | Major | ICMP error returned with corrupted inner header causes seg-fault when passed through a FW/NAT44/PBR rule with logging enabled |
VRVDR-52401 | Critical | Degradation of throughput by 10%-40% on v150 with 100M physical interface & QOS |
VRVDR-52221 | Major | Disabled PMTUD on GRE tunnel causes outer packet to inherit inner packet TTL value |
VRVDR-52179 | Critical | Overlayfs file corruption of user accounting files |
VRVDR-52152 | Critical | PTP: Use monotonic time for semaphores and mutexes |
VRVDR-51643 | Major | SNMP Trap not receiving when CHILD_SA deleting |
VRVDR-51465 | Blocker | Restore (opt-out) collection of shell history in tech-support |
VRVDR-51455 | Critical | Bad file descriptor (src/epoll.cpp:100) when applying config |
VRVDR-51443 | Major | IPv6 router-advert CLI missing on switch VLAN interfaces |
VRVDR-51332 | Major | PTP: Unable to cope with config change where master and slave swap ds-ports (slave does not come up) |
VRVDR-50884 | Major | Grub passwd printed in plain-text in installer logs |
VRVDR-50619 | Major | LACP with VIF - still seeing Slaves not selected in 'balanced' mode |
VRVDR-50544 | Critical | Opd logging YANG files missing in Edinburgh (VNF), Fleetwood onwards (VR and VNF) |
VRVDR-50313 | Major | PTP: SIAD does not send "Follow_Up" msgs to slaves when two-step- flag is enabled |
VRVDR-50026 | Critical | Dataplane crash: npf_timeout_get() |
VRVDR-49447 | Major | show tech-support still logs /var/log/messages |
VRVDR-49409 | Major | Dataplane reports that the bonding drivers doesn't support vlan filtering |
VRVDR-49209 | Minor | tech-support should not use any user gpg config when encrypting tech support archives |
VRVDR-48480 | Blocker | PTP servo reports 0 pps after path switch during ECMP |
VRVDR-48460 | Critical | Tshark permission errors and seg fault when executing monitor command |
VRVDR-48055 | Critical | IPsec VPN dataplane crash deleting VRF |
VRVDR-47858 | Critical | GRE: "RTNETLINK answers: No such file or directory" on trying to delete tunnel |
VRVDR-46493 | Major | IPSec RA-VPN Server : IKE proposal not found on server when setting the local-address to "any" |
VRVDR-43307 | Critical | vyatta-ike-sa-daemon: TypeError: 'IKEConfig' object does not support indexing |
VRVDR-42123 | Major | opd adds node.tag values under the wrong location in tab completion |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-53323 | 7.5 | DLA-2391-1 | CVE-2020-25613: Debian DLA-2391-1 : ruby2.3 security update |
VRVDR-53273 | 7.8 | DLA-2385-1 | CVE-2019-3874, CVE-2019-19448, CVE-2019-19813, CVE-2019-19816, CVE-2020-10781, CVE-2020-12888, CVE-2020-14314, CVE-2020-14331, CVE-2020-14356, CVE-2020-14385, CVE-2020-14386, CVE-2020-14390, CVE-2020-16166, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25641, CVE-2020-26088: Debian DLA-2385-1: linux-4.19 LTS security update |
VRVDR-53272 | 9.8 | DLA-2388-1 | Debian DLA-2388-1 : nss security update |
VRVDR-53231 | N/A | DLA-2382-1 | CVE-2020-8231: Debian DLA-2382-1 : curl security update |
VRVDR-53230 | 3.7 | DLA-2378-1 | CVE-2020-1968: Debian DLA-2378-1 : openssl1.0 security update |
VRVDR-52817 | 6.4 | N/A | CVE-2020-15705: GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed |
VRVDR-52457 | 7.8 | DLA-2301-1 | CVE-2020-12762: Debian DLA-2301-1 : json-c security update |
VRVDR-52456 | 6.7 | DLA-2290-1 | CVE-2019-5188: Debian DLA-2290-1 : e2fsprogs security update |
VRVDR-52454 | N/A | DLA-2295-1 | CVE-2020-8177: Debian DLA-2295-1 : curl security update |
VRVDR-52357 | 5.6 | DSA-4733-1 | CVE-2020-8608: Debian DSA-4733-1: qemu security update |
VRVDR-52273 | 6.7 | DSA-4728-1 | CVE-2020-10756, CVE-2020-13361, CVE-2020-13362, CVE-2020-13754, CVE-2020-13659: Debian DSA 4728-1: qemu security update |
VRVDR-52265 | 9.8 | DLA-2280-1 | CVE-2018-20406, CVE-2018-20852, CVE-2019-5010, CVE-2019-9636, CVE-2019-9740, CVE-2019-9947, CVE-2019-9948, CVE-2019-10160, CVE-2019-16056, CVE-2019-16935, CVE-2019-18348, CVE-2020-8492, CVE-2020-14422: Debian DLA-2280-1 : python3.5 security update |
VRVDR-51849 | 7.5 | N/A | CVE-2018-19044, CVE-2018-19045, CVE-2018-19046: Insecure temporary file usage in keepalived |
1912f
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-52669 | Critical | Cannot display EEPROM info for FINISAR FCLF8522P2BTL Copper Port |
VRVDR-52643 | Blocker | "request hard qsfp/sfp_status present X" - performance degradation |
VRVDR-52568 | Blocker | Revert SIAD kernel panic defaults |
VRVDR-52546 | Minor | GUI hangs/loading and finally timeout with an error message on browser |
VRVDR-52469 | Blocker | i2c MUX reset required on S9500 to mitigate bus lock due to malfunctioning SFP |
VRVDR-52447 | Blocker | PTP: switching between the same master on multiple ports do not work if chosen port is down |
VRVDR-52284 | Blocker | S9500 - 'request hardware-diag version' command missing product name, reporting eeprom error |
VRVDR-52278 | Blocker | S9500 - upgrade HW diags to v3.1.10 |
VRVDR-52248 | Blocker | vyatta-sfpd can start before platform init complete |
VRVDR-52228 | Minor | The command ‘show hardware sensors sel’ gives a traceback |
VRVDR-52190 | Critical | smartd attempting to send email |
VRVDR-52215 | Critical | Memory use after free when deleting storm control profile |
VRVDR-52104 | Blocker | S9500 integration of BSP 3.0.11, 3.0.12 and 3.0.13 |
VRVDR-51754 | Critical | Readonly account failed to stay in after log on |
VRVDR-51344 | Critical | S9500-30XS: 10G Interface LED sometimes lit when interface is disabled |
VRVDR-51135 | Critical | NTP client remains sync'd with server even though source interface has no address |
VRVDR-51114 | Minor | Change command not found error for users running in a sandbox |
VRVDR-50951 | Critical | OSPFv3 logs are not generated when OSPFv3 process is reset |
VRVDR-50928 | Minor | PTP: ufispace-bsp-utils 3.0.10 causing /dev/ttyACM0 to disappear |
VRVDR-50775 | Major | Dataplane "PANIC in bond_mode_8023ad_ext_periodic_cb" w/ locally sourced and terminated GRE traffic |
VRVDR-50549 | Trivial | PTP: Spelling error in log msg "Successfully configure DPLL 2 fast lcok" |
VRVDR-50359 | Critical | show int dataplane foo phy issues with vendor-rev |
VRVDR-49935 | Critical | Dataplane core dump generated following vyatta-dataplane restart in vlan_if_l3_disable |
VRVDR-49836 | Major | IPsec: Fails to be able to to ping from tunnel endpoint to tunnel endpoint with ping size 1419 using default MTU with site-2-site. Tunnel MTU discovery not working |
VRVDR-48315 | Critical | Malformed interface names in show ipv6 multicast interface with IPv6 GRE tunnels |
VRVDR-48090 | Major | Error: /transceiver-info/physical-channels/channel/0/laser-bias- current/: is not a decimal64 at /opt/vyatta/share/perl5/Vyatta/Configd.pm line 208 |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-53016 | 9.1 | DLA-2369-1 | CVE-2017-18258, CVE-2017-8872, CVE-2018- 14404, CVE-2018-14567, CVE-2019-19956, CVE- 2019-20388, CVE-2020-24977, CVE-2020-7595: Debian DLA-2369-1 : libxml2 security update |
VRVDR-52844 | 7.5 | DLA-2355-1 | CVE-2020-8622, CVE-2020-8623: Debian DLA-2355- 1 : bind9 security update |
VRVDR-52723 | 8.8 | DLA-2340-1 | CVE-2018-20346, CVE-2018-20506, CVE-2018- 8740, CVE-2019-16168, CVE-2019-20218, CVE- 2019-5827, CVE-2019-9936, CVE-2019-9937, CVE- 2020-11655, CVE-2020-13434, CVE-2020-13630, CVE-2020-13632, CVE-2020-13871:Debian DLA- 2340-1 : sqlite3 security update |
VRVDR-52722 | 9.8 | DLA-2337-1 | CVE-2018-20852, CVE-2019-10160, CVE-2019- 16056, CVE-2019-20907, CVE-2019-5010, CVE- 2019-9636, CVE-2019-9740, CVE-2019-9947, CVE- 2019-9948: Debian DLA-2337-1 : python2.7 security update |
VRVDR-52618 | 9.8 | DLA-2323-1 | CVE-2019-18814, CVE-2019-18885, CVE-2019- 20810, CVE-2020-10766, CVE-2020-10767, CVE- 2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA- 2323-1 : linux-4.19 new package |
VRVDR-52476 | 5.9 | DLA-2303-1 | CVE-2020-16135: Debian DLA-2303-1 : libssh security update |
VRVDR-52197 | N/A | N/A | Privilege escalation in "reset ipv6 neighbors" / "reset ip arp" commands |
1912e
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-51957 | Blocker | Modelled copy command incorrectly enforcing ssh-known-host check in 1912e |
VRVDR-51952 | Blocker | Group ownership for non ROOT files got changed to ssh @ 1912e |
VRVDR-51937 | Blocker | show interface dataplane dp0xe<x> displays incorrect speed for copper ports when interface is down |
VRVDR-51828 | Major | SIAD ACL: BCM SDK error when deleting ACL configuration |
VRVDR-51639 | Critical | Response for "request hardware-diag version" takes much longer with 1912b |
VRVDR-51619 | Critical | SIAD ACL: Ensure that rulesets which would exceed the TCAM are rejected |
VRVDR-51616 | Critical | Storm Control triggered snmpd warning messages in journal |
VRVDR-51543 | Critical | IPsec peers stuck in 'init' state after upgrade from 1801q to 1912d |
VRVDR-51539 | Critical | Repeated FAL BCM "L3 Interface" for VSI 0 Syslog |
VRVDR-51521 | Critical | NAT64 opd yang file missing required type field in 1908 and 1912 |
VRVDR-51518 | Critical | Dataplane performance fails for forward pkts when scatter mode driver is used |
VRVDR-51483 | Major | Removing guest configuration fails with scripting error |
VRVDR-51385 | Critical | Dataplane Crash in next_hop_list_find_path_using_ifp |
VRVDR-51348 | Major | libsnmp-dev built from DANOS/net-snmp is not API compatible with libsnmp-dev from upstream |
VRVDR-51345 | Critical | S9500-30XS: 100G Interface LED lit even when disabled |
VRVDR-51311 | Blocker | DAS Switch with 1912b seeing low rate of drops vs 1903m |
VRVDR-51295 | Critical | Changing speed on interface resets configured MTU to default |
VRVDR-51247 | Major | S9500 - missing hw_rev.cfg file |
VRVDR-51238 | Major | After broadcast storm, TACACS doesn't recover |
VRVDR-51185 | Blocker | Link doesn't come up after swapping 1000BASE-T SFP for 1000BASE-X SFP |
VRVDR-51183 | Major | 'FAL neighbor del' log is generated by dataplane for each ARP received for an unknown address |
VRVDR-51179 | Critical | live-cd installs should not install all unique state |
VRVDR-51148 | Critical | S9500 interface flaps when MTU is modified |
VRVDR-51072 | Critical | L3 SIAD router not fragmenting packet size above MTU |
VRVDR-51067 | Critical | DPDK VIRTIO driver does not support multiple MAC addresses |
VRVDR-51066 | Blocker | 1908g performance hit with vCSR VNF scenario in small, medium and large platforms |
VRVDR-51052 | Blocker | Traffic dropped in SIAD when jumbo frames are > 1522 bytes but under defined MTU limit |
VRVDR-51008 | Major | When the /var/log partition exists journal files from previous installs are retained but not rotated |
VRVDR-50939 | Blocker | BFD session retained in admin down state when interface is disabled |
VRVDR-50927 | Critical | show interface data <port> phy not working correctly for Operator class users |
VRVDR-50920 | Blocker | SIAD - modelled copy with scp target is operationally unusable |
VRVDR-50915 | Critical | Error generating /interfaces/backplane-state on SIAD |
VRVDR-50874 | Critical | Storm control errors in 1912b |
VRVDR-50559 | Critical | Error: /vyatta-cpu-history-client: GetState failure: Traceback |
VRVDR-50256 | Blocker | Login fails with recent master images - Error in service module |
VRVDR-50075 | Major | Sandbox cleanup fails for deleted TACACS+ user with open sessions |
VRVDR-49985 | Major | L3ACL: CLI command and validation for IPv6 ACL rules with fragment option |
VRVDR-49959 | Major | Change the yang accepted on SIAD to refuse ACLs specifying 'protocol final' |
VRVDR-49808 | Critical | TACACS+ logins of users with "exotic" usernames fail when user isolation is enabled |
VRVDR-49502 | Major | Login fails for isolated users whose name contains an underscore |
VRVDR-49491 | Critical | User Isolation shared-storage not accessible in Master image after upgrade |
VRVDR-49442 | Major | SNMP related syslog messages at wrong log level |
VRVDR-49231 | Critical | PPPoE Client - Not re-establishing dropped connection automatically |
VRVDR-48438 | Major | LACP causing interface to remain down |
VRVDR-47530 | Critical | OSPF scaling: regression script fails bringing up many OSPF neighbors |
VRVDR-45369 | Major | show interface dataplane X physical incorrectly reports speed when down |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-51526 | 7.8 | DSA-4699-1 | CVE-2019-19462, CVE-2019-3016, CVE-2020-0543, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-12114, CVE-2020-12464, CVE-2020-12768, CVE-2020-12770, CVE-2020-13143: Debian DSA-4699-1 : linux - security update |
VRVDR-51525 | 7.8 | DSA-4698-1 | CVE-2019-2182, CVE-2019-5108, CVE-2019-19319, CVE-2019-19462, CVE-2019-19768, CVE-2019-20806, CVE-2019-20811, CVE-2020-0543, CVE-2020-2732, CVE-2020-8428, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-9383, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-10942, CVE-2020-11494, CVE-2020-11565, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-12114, CVE-2020-12464, CVE-2020-12652, CVE-2020-12653, CVE-2020-12654, CVE-2020-12770, CVE-2020-13143: Debian DSA-4698-1: linux – security update |
VRVDR-51236 | 8.6 | DSA-4689-1 | CVE-2019-6477, CVE-2020-8616, CVE-2020-8617: Debian DSA-4689-1 : bind9 - security update |
VRVDR-51142 | 5.5 | DSA-4685-1 | CVE-2020-3810: Debian DSA-4685-1 : apt - security update |
VRVDR-51054 | 6.7 | DSA-4688-1 | CVE-2020-10722, CVE-2020-10723, CVE-2020-10724: Debian DSA-4688-1 : dpdk - security update |
VRVDR-50886 | 8.8 | DSA-4670-1 | CVE-2018-12900, CVE-2018-17000, CVE-2018-17100, CVE-2018-19210, CVE-2019-7663, CVE-2019-14973, CVE-2019-17546 : Debian DSA-4670-1 : tiff - security update |
VRVDR-50851 | 7.5 | DSA-4666-1 | CVE-2020-12243: Debian DSA-4666-1 : openldap - security update |
VRVDR-50530 | 7.1 | DSA-4647-1 | CVE-2020-0556: Debian DSA-4647-1 : bluez - security update |
VRVDR-50498 | 8.8 | DSA-4646-1 | CVE-2020-10531: Debian DSA-4646-1 : icu - security update |
VRVDR-44891 | N/A | N/A | opd doesn't escape input properly when completing commands |
1912a
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-49822 | Critical | Only shows peering with 16 nodes in "show ptp clock 0" |
VRVDR-49735 | Critical | IPsec RA VPN: default VRF + VFP is blocking traffic which is supposed to be forwarded |
VRVDR-49734 | Critical | Strongswan VRRP startup check breaks RAVPN server |
VRVDR-49684 | Blocker | DHCP services within VRF failed to start after enabling secure boot |
VRVDR-49656 | Minor | IDT servo is built without optimization |
VRVDR-49633 | Critical | tcp_auth_collapse NULL pointer dereference causes kernel panic during SYN flood |
VRVDR-49631 | Blocker | PTP error message found on UFI06 |
VRVDR-49630 | Major | IPsec got warning on committing site-2-site tunnel config "Warning: unable to [VPN toggle net.ipv6.conf.intf.disable_xfrm], received error code 65280" |
VRVDR-49618 | Critical | Servo notifications always using attVrouterPtpServoFailure |
VRVDR-49584 | Minor | GRE over IPsec in transport mode (IKEv1) - responder intermittently replies "no acceptable traffic selectors found" |
VRVDR-49568 | Critical | Flexware XS and S: kernel panics on start after update to 4.19.93 |
VRVDR-49513 | Major | "Failed to connect to system bus" error messages |
VRVDR-49431 | Minor | Use upstream fix for correcting link speed when link is down |
VRVDR-49427 | Critical | Bridge commit failure when changing both max-age and forwarding-delay |
VRVDR-49426 | Major | Mellanox-100G: kernel interface shows up even when dataplane is stopped. |
VRVDR-49417 | Critical | Wrong counts for pkts matching 3-tuple but not 5-tuple |
VRVDR-49415 | Critical | Python traceback with "show cgnat session detail exclude-inner" |
VRVDR-49403 | Critical | LACP - vmxnet3 PMD unable to support additional MAC addresses |
VRVDR-49391 | Major | PTP: disable (by default) logging of the time adjustments by the IDT servo |
VRVDR-49376 | Critical | PTP: fails to issue clock servo recovery traps |
VRVDR-49365 | Critical | Remote Syslog broken by source interface status changes |
VRVDR-49351 | Major | CGNAT: TCP session with only ext -> int traffic doesn't timeout |
VRVDR-49350 | Critical | CGNAT - PCP session times outer sooner than expected |
VRVDR-49344 | Critical | Firewall VFP acceptance tests broken by VRVDR-48094 |
VRVDR-49185 | Blocker | IP Packet Filter not applied at bootup |
VRVDR-49119 | Major | DUT stops responding following anomolous DHCP-DISCOVER packet |
VRVDR-49031 | Blocker | RA-VPN Server +VFP+default VRF : IPsec encryption failing on RA-VPN server for traffic destined or originated between end hosts connected behind the RA-VPN server/client |
VRVDR-49020 | Major | RA VPN: Spoke not forwarding with "ESP: Replay check failed for SPI" logs |
VRVDR-48944 | Critical | SIAD Dataplane crash when removing Tunnels interface config |
VRVDR-48761 | Major | J2: packets with too small IP length value forwarded rather than dropped |
VRVDR-48728 | Blocker | Network link down observed with VM built from vyatta-1908b- amd64-vrouter_20191010T1100-amd64-Build3.14.hybrid.iso |
VRVDR-48663 | Major | New SSH errors in 1903h make syslog more chatty |
VRVDR-48593 | Blocker | Mellanox 100G: The dataplane interface is not up after Disable/Enable the interface. |
VRVDR-48371 | Critical | IPSec RA VPN - Unable to ping spoke after failover |
VRVDR-48094 | Critical | IPsec RA VPN client/server: v4 traffic not working with when a concrete remote traffic-selector |
VRVDR-47473 | Blocker | Mellanox-100G:Observing that the interface(one interface out of two)link shows down after conf/deleting the mtu. Hence observing the traffic loss at that time. |
VRVDR-46719 | Critical | Poor TCP performance in iperf over IPSEC VTI (expect ~600Mbps but measuring ~2Mbps) |
VRVDR-46641 | Major | IKE control-plane incorrectly assumes that the IPsec dataplane supports ESP Traffic Flow Confidentiality |
VRVDR-45753 | Minor | Share storage help text for size missing units |
VRVDR-45071 | Critical | vyatta-security-vpn: vpn-config.pl: l2tp remote-access dhcp-interface "lo.tag;/tmp/bad.sh;echo " / code injection |
VRVDR-45069 | Critical | vyatta-security-vpn: set security vpn rsa-keys local-key file "/tmp/bad.sh;/tmp/bad.sh" / code injection |
VRVDR-45068 | Critical | vyatta-security-vpn: s2s tunnel protocol syntax script / code injection |
VRVDR-45067 | Critical | vyatta-security-vpn: set security vpn ipsec site-to-site peer $CODE / code injection |
VRVDR-45066 | Critical | vyatta-security-vpn: check_file_in_config passed unsanitized user input / code injection |
VRVDR-45065 | Critical | vyatta-security-vpn-secrets: code injection |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-49728 | N/A | DSA-4609-1 | CVE-2019-15795, CVE-2019-15796: Debian DSA- 4609-1 : python-apt - security update |
VRVDR-49642 | 9.8 | DSA-4602-1 | CVE-2019-17349, CVE-2019-17350, CVE-2019- 18420, CVE-2019-18421, CVE-2019-18422, CVE- 2019-18423, CVE-2019-18424, CVE-2019-18425, CVE-2019-19577, CVE-2019-19578, CVE-2019- 19579, CVE-2019-19580, CVE-2019-19581, CVE- 2019-19582, CVE-2019-19583, CVE-2018-12207, CVE-2018-12126, CVE-2018-12127, CVE-2018- 12130, CVE-2019-11091, CVE-2019-11135, CVE- 2019-17348, CVE-2019-17347, CVE-2019-17346, CVE-2019-17345, CVE-2019-17344, CVE-2019- 17343, CVE-2019-17342, CVE-2019-17341, CVE- 2019-17340: Debian DSA-4602-1 : xen - security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) |
VRVDR-49486 | 5.3 | DSA-4594-1 | CVE-2019-1551: Debian DSA-4594-1 : openssl1.0 - security update |
VRVDR-49477 | 7.5 | DSA-4591-1 | CVE-2019-19906: Debian DSA-4591-1 : cyrus-sasl2 - security update |
VRVDR-49450 | 9.8 | DSA-4587-1 | CVE-2019-15845, CVE-2019-16201, CVE-2019- 16254, CVE-2019-16255: Debian DSA-4587-1 : ruby2.3 - security update |
VRVDR-49132 | 7.8 | DSA-4564-1 | CVE-2018-12207, CVE-2019-0154, CVE-2019-0155, CVE-2019-11135: Debian DSA-4564-1: linux – security update |
1908h
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-51483 | Major | Removing guest configuration fails with scripting error |
VRVDR-51443 | Major | ipv6 router-advert CLI missing on switch VLAN interfaces |
VRVDR-51385 | Critical | Dataplane crash in next_hop_list_find_path_using_ifp |
VRVDR-51295 | Critical | Changing speed on interface resets configured MTU to default |
VRVDR-51185 | Blocker | Link doesn't come up after swapping 1000BASE-T SFP for 1000BASE-X SFP |
VRVDR-51183 | Major | 'FAL neighbour del' log is generated by dataplane for each ARP recieved for an unknown address |
VRVDR-51179 | Critical | live-cd installs should not install all unique state |
VRVDR-51066 | Blocker | 1908g performance hit with vCSR vnf scenario in Small, Medium and Large Platforms |
VRVDR-51008 | Major | When the /var/log partition exists journal files from previous installs are retained but not rotated |
VRVDR-50939 | Blocker | BFD session retained in admin down state when interface is disabled |
VRVDR-50754 | Critical | Cannot perform H2O Update Capsule update due to missing efivar tool |
VRVDR-50705 | Critical | show history & tech support output incorrectly show order of CLI commands executed |
VRVDR-50665 | Critical | Permit local user fallback following TACACS+ failure on read-only filesystem |
VRVDR-50621 | Critical | Duplicate entries added to dp_event_register() |
VRVDR-50614 | Critical | ADI V150 with 100M physical WAN port doesn't show drops with 100M QOS shaper applied |
VRVDR-50569 | Blocker | SIAD BFD inter-op issue with Cisco 7609S |
VRVDR-50560 | Critical | "show vpn ike secrets" allows operator and members outside the secrets group to display secrets |
VRVDR-50306 | Critical | ADI Spirent probe RFC2544 test failure due to small packet loss w/ 100m speed and 50m QoS shaper |
VRVDR-50279 | Major | RX error incrementing on the bond1 interface, but no errors on physical interface |
VRVDR-50237 | Critical | QoS not working when applied in certain order |
VRVDR-49656 | Minor | PTP: IDT servo is built without optimization |
VRVDR-49442 | Major | SNMP related syslog messages at wrong log level |
VRVDR-49326 | Major | At system login user level operator "show queuing" command does not work |
VRVDR-49231 | Critical | PPPoE Client - Not re-establishing dropped connection automatically |
VRVDR-48466 | Critical | DNS nslookup query within a routing instance vrf is broken |
VRVDR-48337 | Critical | NCS fails to load vyatta-*system-image YANG |
VRVDR-48203 | Minor | Split IDT servo into separate shared libraries |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-51236 | 8.6 | DSA-4689-1 | CVE-2019-6477, CVE-2020-8616, CVE-2020-8617: Debian DSA-4689-1 : bind9 - security update |
VRVDR-51142 | 5.5 | DSA-4685-1 | CVE-2020-3810: Debian DSA-4685-1 : apt - security update |
VRVDR-51054 | 6.7 | DSA-4688-1 | CVE-2020-10722, CVE-2020-10723, CVE-2020- 10724: Debian DSA-4688-1 : dpdk - security update |
VRVDR-50530 | 7.1 | DSA-4647-1 | CVE-2020-0556: Debian DSA-4647-1 : bluez - security update |
1908g
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-50563 | Critical | Transport-link / port peering no longer works on xsm, sm and md |
1908f
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-50467 | Critical | Marvell : Sometimes after dataplane crash front panel ports do not come up |
VRVDR-50387 | Major | qemu-wrap.py script confusing libvirt/virsh |
VRVDR-50376 | Major | Increase max number of clients of dp_events |
VRVDR-50293 | Critical | Forwarded cross VRF traffic blackholed when SNAT is applied |
VRVDR-50191 | Critical | Packet capture leaking mbufs under heavy load |
VRVDR-49991 | Blocker | Enable hardware platform reboot on NMI panic |
VRVDR-49951 | Major | SNMP errors during PTP configuration |
VRVDR-49750 | Critical | TACACS+ authz sent for user * on Bash path completion |
VRVDR-49739 | Major | SFlow not sending packets out |
VRVDR-49797 | Major | vyatta-openvpn: code injection due to scripts in tmplscripts |
VRVDR-49683 | Critical | 1908d performance issue with QoS seeing significant reduction in performance |
VRVDR-49472 | Major | ENTITY-SENSOR-MIB: Incorrect OID values |
VRVDR-49470 | Critical | ENTITY-MIB: Missing entPhysicalDescr OID |
VRVDR-49316 | Blocker | SNMP entity subagent failed to handle month 12 |
VRVDR-48861 | Critical | Vyatta VNF creating extra RX queues |
VRVDR-47761 | Minor | Spurious log: LLADDR: NEWNEIGH without link layer address? |
VRVDR-45649 | Major | Route Leaking into VRF not working as expected - pings not resolving |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-50166 | 9.8 | DSA-4633-1 | CVE-2019-5436, CVE-2019-5481, CVE-2019-5482: Debian DSA-4633-1 : curl - security update |
VRVDR-50161 | 9.8 | DSA-4632-1 | CVE-2020-8597: Debian DSA-4632-1 : ppp - security update |
1908e
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-49924 | Blocker | Commit failed in IPsec site-to-site configuration |
VRVDR-49822 | Critical | Only shows peering with 16 nodes in "show ptp clock 0" |
VRVDR-49684 | Blocker | DHCP services within VRF failed to start after enabling secure boot |
VRVDR-49633 | Critical | tcp_auth_collapse NULL pointer dereference causes kernel panic during SYN flood |
VRVDR-49631 | Blocker | PTP error message found on UFI06 |
VRVDR-49584 | Minor | GRE over IPsec in transport mode (IKEv1) - responder intermittently replies "no acceptable traffic selectors found" |
VRVDR-49568 | Critical | Flexware XS and S: kernel panics on start after update to 4.19.93 |
VRVDR-49459 | Major | Ping monitor may send more packets than specified in "packets" |
VRVDR-49439 | Major | Path Monitor does not handle fractional ping loss correctly |
VRVDR-48944 | Critical | SIAD dataplane crash when removing tunnels interface config |
VRVDR-47869 | Minor | L2TP/IPsec with x.509 authentication fails due to incorrect path to certificates |
VRVDR-46719 | Critical | Poor TCP performance in iperf over IPSEC VTI (expect ~600Mbps but measuring ~2Mbps) |
VRVDR-45071 | Critical | vyatta-security-vpn: vpn-config.pl: l2tp remote-access dhcp-interface "lo.tag;/tmp/bad.sh;echo " / code injection |
VRVDR-45069 | Critical] | vyatta-security-vpn: set security vpn rsa-keys local-key file "/tmp/bad.sh;/tmp/bad.sh" / code injection |
VRVDR-45068 | Critical | vyatta-security-vpn: s2s tunnel protocol syntax script / code injection |
VRVDR-45067 | Critical | vyatta-security-vpn: set security vpn ipsec site-to-site peer $CODE / code injection |
VRVDR-45066 | Critical | vyatta-security-vpn: check_file_in_config passed unsanitized user input / code injection |
VRVDR-45065 | Critical | vyatta-security-vpn-secrets: code injection |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-49834 | 7.8 | DSA-4614-1 | CVE-2019-18634: Debian DSA-4614-1 : sudo - security update |
VRVDR-49832 | 9.8 | DSA-4616-1 | CVE-2019-15890, CVE-2020-7039, CVE-2020-1711: Debian DSA-4616-1: qemu – security update |
VRVDR-49728 | N/A | DSA-4609-1 | CVE-2019-15795, CVE-2019-15796: Debian DSA- 4609-1 : python-apt - security update |
VRVDR-49642 | 9.8 | DSA-4602-1 | CVE-2019-17349, CVE-2019-17350, CVE-2019- 18420, CVE-2019-18421, CVE-2019-18422, CVE- 2019-18423, CVE-2019-18424, CVE-2019-18425, CVE-2019-19577, CVE-2019-19578, CVE-2019- 19579, CVE-2019-19580, CVE-2019-19581, CVE- 2019-19582, CVE-2019-19583, CVE-2018-12207, CVE-2018-12126, CVE-2018-12127, CVE-2018- 12130, CVE-2019-11091, CVE-2019-11135, CVE- 2019-17348, CVE-2019-17347, CVE-2019-17346, CVE-2019-17345, CVE-2019-17344, CVE-2019- 17343, CVE-2019-17342, CVE-2019-17341, CVE- 2019-17340: Debian DSA-4602-1 : xen - security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) |
VRVDR-49132 | 7.8 | DSA-4564-1 | CVE-2018-12207, CVE-2019-0154, CVE-2019-0155, CVE-2019-11135: Debian DSA-4564-1: linux – security update |
1908d
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-49618 | Critical | Servo notifications always using attVrouterPtpServoFailure |
VRVDR-49426 | Major | Mellanox-100G: kernel interface shows up even when dataplane is stopped |
VRVDR-49391 | Major | Disable (by default) logging of the time adjustments by the IDT server |
VRVDR-49246 | Critical | Flexware stops forwarding pkts over hardware switch after flooding unknown unicasts |
VRVDR-49223 | Major | Hardware CPP rate limiter feature accepted packet count not working |
VRVDR-49185 | Blocker | IP Packet Filter not applied at bootup |
VRVDR-49137 | Major | Syslog rate-limit not respected for above 65000 messages per interval |
VRVDR-49020 | Major | RA VPN: Spoke not forwarding with "ESP: Replay check failed for SPI" logs |
VRVDR-48992 | Minor | Syslog generates message "Child xxxxx has terminated, reaped by main-loop" at wrong priority |
VRVDR-48960 | Critical | SIAD - audit logs with no priority default to syslog level NOTICE and are overly chatty |
VRVDR-48892 | Blocker | Ping failure with storm-control & QoS |
VRVDR-48891 | Blocker | Dataplane crashed while changing PTP configuration |
VRVDR-48850 | Major | PTP: Frequently logging Slave Unavailable/Available msg in the console log |
VRVDR-48820 | Critical | PTP: master not tracked correctly across port changes |
VRVDR-48728 | Blocker | Network link down observed with VM built from vyatta-1908b- amd64-vrouter_20191010T1100-amd64-Build3.14.hybrid.iso |
VRVDR-48720 | Critical | PTP: assert in IDTStackAdaptor_UpdateBestMasterSelection |
VRVDR-48660 | Critical | No rotation occuring for /var/log/messages |
VRVDR-48585 | Major | ICMP Unreachable not returned when decrypted IPsec packet is too large to pass tunnel interface MTU |
VRVDR-48461 | Critical | SNMP Not working in 1908a |
VRVDR-47203 | Major | 1903d yang package fatal error |
VRVDR-47002 | Minor | PTP: network information is not cleared from disabled (skipped) ports during reconfiguration |
VRVDR-44104 | Blocker | Creating a switch interface doesn't work with QinQ |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-49486 | 5.3 | DSA-4594-1 | CVE-2019-1551: Debian DSA-4594-1 : openssl1.0 - security update |
VRVDR-49477 | 7.5 | DSA-4591-1 | CVE-2019-19906: Debian DSA-4591-1 : cyrus-sasl2 - security update |
VRVDR-49450 | 9.8 | DSA-4587-1 | CVE-2019-15845, CVE-2019-16201, CVE-2019- 16254, CVE-2019-16255: Debian DSA-4587-1 : ruby2.3 - security update |
VRVDR-49155 | 7.2 | N/A | CVE-2018-5265: Devices allow remote attackers to execute arbitrary code with admin credentials, because /opt/vyatta/share/vyatta- cfg/templates/system/static-host-mapping/host-name/node.def does not sanitize the 'alias' or 'ips' parameter for shell metacharacters. |
VRVDR-48691 | 7.5 | DSA-4544-1 | CVE-2019-16866: Debian DSA-4544-1: unbound - security update |
VRVDR-48133 | 8.8 | DSA-4512-1 | CVE-2019-13164, CVE-2019-14378: Debian DSA- 4512-1: qemu – security update |
VRVDR-48132 | 7.5 | DSA-4511-1 | CVE-2019-9511, CVE-2019-9513: Debian DSA-4511- 1: nghttp2 – security update |
VRVDR-47885 | 8.1 | DSA-4495-1 | CVE-2018-20836, CVE-2019-1125, CVE-2019-1999, CVE-2019-10207, CVE-2019-10638, CVE-2019- 12817, CVE-2019-12984, CVE-2019-13233, CVE- 2019-13631, CVE-2019-13648, CVE-2019-14283, CVE-2019-14284: Debian DSA-4495-1: linux – security update |
1908c
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-49060 | Major | RA VPN: no ESP traffic from Hub to Spoke |
VRVDR-49035 | Major | RA VPN: "show vpn ipsec sa" inbound/outbound bytes stats are swapped |
VRVDR-48949 | Major | Add output for determining punt-path programming state to tech- support |
VRVDR-48893 | Critical | RA VPN: intermittent ICMP loss through HUB due to misprogrammed punt path |
VRVDR-48889 | Critical | RA VPN: client IPsec SAs are piling up when make-before-break (client) + reauth-time (server) is configured |
VRVDR-48878 | Critical | VPN client log overflow in auth.log |
VRVDR-48837 | Critical | Reduce "sending DPD request" loglevel temporarily to reduce logging load |
VRVDR-48717 | Major | Resources group address-group address-range entries do not work together with address entries |
VRVDR-48672 | Critical | SIAD stops forwarding traffic after 4-5 hours of long duration test |
VRVDR-48057 | Minor | Add additional IPSec debug support to tech-support |
VRVDR-47596 | Major | NAT used count is showing count larger than total available |
1908b
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-48774 | Minor | PTP: When changing port states the old and new states are backward |
VRVDR-48644 | Minor | add logging for PTP slaves similar to PTP master |
VRVDR-48623 | Critical | Assert in IDTStackAdaptor_AddDownlinkTimeStampDifferences |
VRVDR-48600 | Critical | Upgrade to 3.0.8 version of UfiSpace's BSP utils |
VRVDR-48588 | Critical | PTP fails to create ports when config is removed and reapplied |
VRVDR-48567 | Blocker | DPLL3 is not in free-run by default |
VRVDR-48560 | Major | Kernel neighbour updates may cause dataplane neighbour to transiently become invalid |
VRVDR-48559 | Major | Static ARP entry not always noted in dataplane ARP table |
VRVDR-48553 | Blocker | SIAD not updating L3 neighbour entry on MAC change |
VRVDR-48542 | Critical | "ipsec sad" was not containing "virtual-feature-point" |
VRVDR-48527 | Blocker | SIAD: 1G dataplane interfaces fail to start |
VRVDR-48522 | Blocker | MACVLAN interface not receiving packets with programmed MAC address (VRRP with RFC-compatibility) |
VRVDR-48519 | Major | Operator in secrets group cannot view redacted secret in "show config" but can in "show config command" |
VRVDR-48484 | Blocker | QOS policy dropping all traffic by policer intermittently |
VRVDR-48430 | Critical | Issue trap/notification when servo failure is resolved |
VRVDR-48415 | Major | OSPF flap to INIT state when changing (add or delete) network statements in OSPF |
VRVDR-48408 | Major | Upgrade Insyde phy_alloc module to version 6 |
VRVDR-48390 | Minor | Enable some IDT log messages |
VRVDR-48384 | Major | Change CGNAT to stop using the NPF interface structure |
VRVDR-48372 | Major | Source NAT is using PPPoE Server (default GW) IP and not local PPPoE interface IP |
VRVDR-48366 | Major | Some RFC 7951 data test are wrong causing build breakage 1% of the time |
VRVDR-48338 | Critical | IDT servo fails to reliably negotiate an higher packets rates with GM |
VRVDR-48332 | Major | TACACS+ AAA plugin should restart on DBus failures |
VRVDR-48327 | Blocker | HW forwarding failure due to incorrect L2 Rewrite info |
VRVDR-48273 | Major | Show sfp info in show interface dataplane <intf> physical on Flexware |
VRVDR-48243 | Blocker | SIAD Boundary Clock not staying locked to GM when using ECMP paths |
VRVDR-48224 | Major | "show cgnat session" with complex filter missing entry |
VRVDR-48222 | Major | Isolate configd and opd from plugin panics |
VRVDR-48201 | Blocker | Mellanox 100G: Needs improvement for performance of 128, 256 Byte pkts; 64Byte pkt has better performance |
VRVDR-48169 | Critical | Mellanox 100G: improve traffic throughput performance |
VRVDR-48167 | Critical | 'show tech-support' hangs 'WARNING: terminal is not fully functional' |
VRVDR-48157 | Critical | Center LED status for S/M/L is not working as expected |
VRVDR-48124 | Critical | Azure: System does not provision ssh key pair |
VRVDR-48113 | Major | OSPF not on vtun interface |
VRVDR-48108 | Minor | Debug level messages for VRRP seen in journal |
VRVDR-48102 | Critical | Fails to operate when the number of interfaces with PTP enabled is scaled up |
VRVDR-48098 | Critical | BroadPTP fails to re-mark SIGNALING messages with appropriate DSCP |
VRVDR-48093 | Blocker | Missing SFP 'Measured values' on FTLF1518P1BTL optics |
VRVDR-48077 | Critical | Update BIOS strings for the Flexware XSmall platform |
VRVDR-48033 | Minor | Keepalived: Packet filter picked up an IPv4 advertisement from the local box - dropping it before processing |
VRVDR-47990 | Critical | Vyatta vRouter for vNAT usecase(s) in Azure external cloud |
VRVDR-47986 | Major | Change CGNAT policy match from a prefix to an address-group |
VRVDR-47975 | Critical | TACACS: wall: /dev/pts/2: No such file or directory observed on system reboot |
VRVDR-47927 | Major | DPDK - enable selected test apps |
VRVDR-47882 | Major | CGNAT logs inconsistent with NAT |
VRVDR-47863 | Critical | VRRPv3 VRF IPv6 IPAO: Reconfig of LL vip results in MASTER/MASTER scenario |
VRVDR-47842 | Minor | mGRE tunnel is not coming up after making address change at the spoke |
VRVDR-47828 | Critical | Crash of keepalived when reloading the daemon (accessing invalid memory) |
VRVDR-47816 | Major | NAT statistics not displaying in 'show tech-support save' output |
VRVDR-47792 | Major | "clear cgnat session" sometimes errors out after scale test |
VRVDR-47747 | Blocker | Dataplane killed by OOM during CGNAT scale test |
VRVDR-47710 | Major | NHRP overloads IPsec daemon communication |
VRVDR-47701 | Major | CGNAT: Calculate and store RTT times in microseconds |
VRVDR-47675 | Major | Sessions are not deleted after deleting CGNAT configurations - stays until original timeout expires in particular scenario |
VRVDR-47611 | Major | CGNAT: RPC keyerror if non-existing interface name is used in get- session-information |
VRVDR-47601 | Major | VRRP retains MASTER when device is disabled due to license invalid/expired |
VRVDR-47472 | Critical | Mellanox-100G: Observing the traffic forwards even after disabling the dataplane interface |
VRVDR-47397 | Blocker | PTP logging "STATE: Overall for path '[service ptp instance]'" every 75 seconds |
VRVDR-47130 | Major | Send gratuitous ARP on MAC address change |
VRVDR-47006 | Major | PTP show ptp <command> intermittent fails to return any output |
VRVDR-46868 | Blocker | Log the port block allocation logs, subscriber logs and resource constraint logs to a different log other than syslog |
VRVDR-46829 | Minor | The reported timestamps in packet traces are not consistent with the actual time and system clock |
VRVDR-45781 | Major | 'reset dns forwarding cache routing-instance red' not finding VRF instance |
VRVDR-42161 | Minor | tech-support should contain "CLI: coredumpctl info" prefix for COREDUMPS header |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-48841 | 9.8 | DSA-4550-1 | CVE-2019-18218: Debian DSA-4550-1 : file - security update |
VRVDR-48746 | 9.8 | DSA-4547-1 | CVE-2018-10103, CVE-2018-10105, CVE-2018- 14461, CVE-2018-14462, CVE-2018-14463, CVE- 2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467,CVE-2018-14468, CVE-2018- 14469, CVE-2018-14470, CVE-2018-14879, CVE- 2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018- 16229, CVE-2018-16230, CVE-2018-16300, CVE- 2018-16451, CVE-2018-16452, CVE-2019-15166: Debian DSA-4547-1: tcpdump – security update |
VRVDR-48652 | N/A | DSA-4543-1 | CVE-2019-14287: Debian DSA-4543-1 : sudo - security update |
VRVDR-48502 | 5.3 | DSA-4539-1 | CVE-2019-1547, CVE-2019-1549, CVE-2019-1563: Debian DSA-4539-1 : openssl - security update |
VRVDR-48446 | 6.7 | DSA-4535-1 | CVE-2019-5094: Debian DSA-4535-1 : e2fsprogs - security update |
VRVDR-48412 | 9.8 | DSA-4531-1 | CVE-2019-14821, CVE-2019-14835, CVE-2019- 15117, CVE-2019-15118, CVE-2019-15902: Debian DSA-4531-1 : linux - security update |
VRVDR-47897 | 8.1 | DSA-4497-1 | CVE-2015-8553, CVE-2018-5995, CVE-2018-20836 , CVE-2018-20856, CVE-2019-1125, CVE-2019-3882, CVE-2019-3900, CVE-2019-10207, CVE-2019- 10638, CVE-2019-10639, CVE-2019-13631, CVE- 2019-13648, CVE-2019-14283, CVE-2019-14284: DSA-4497-1: linux – security update |
1908a
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-48082 | Blocker | IPSec RA VPN Client PATH MONITOR not functional |
VRVDR-48048 | Critical | SHOW POE command not working for XS/SM Blinkboot |
VRVDR-48041 | Major | ptp: support the maximum number of clock ports in BroadPTP |
VRVDR-48040 | Major | Upgrade journalbeat to latest 6.x |
VRVDR-47974 | Blocker | BFD packets incorrectly scheduled on egress |
VRVDR-47947 | Major | Dataplane wrongly logging failure to delete hash table |
VRVDR-47934 | Major | QoS: show policy qos <if-name> class can display no output |
VRVDR-46077 | Major | Build and sign Insyde phy_alloc module |
VRVDR-47924 | Major | BGP 'show' output for default-vrf not captured in 'show tech-support' |
VRVDR-47908 | Blocker | SIAD displays incorrect serial number in 'show version' |
VRVDR-47907 | Blocker | Mellanox-100G: UDP or TCP traffic with 10K flows only reaches 10% line rate |
VRVDR-47893 | Critical | SIAD : up-rev Ufi diags to v3.1.7 |
VRVDR-47888 | Blocker | IPsec v4 tunnel traffic not working after upgrade to 1908 |
VRVDR-47534 | Blocker | ptp: lower servo requirements for lock |
VRVDR-47871 | Critical | Permission denied error when attempting to clear bridge interface counters |
VRVDR-47870 | Major | Don't disable PTP when port is referenced twice in the configuration and removed |
VRVDR-47851 | Minor | Increase the number of clock ports supported |
VRVDR-47840 | Blocker | dp0xe1 u/D on Medium after upgrade to 1908 |
VRVDR-47824 | Critical | Got bridge sw0 does not exist message with XS running in Blinkboot BIOS mode |
VRVDR-47814 | Critical | system ip gratuitous-arp not setting policy |
VRVDR-47809 | Major | Configd does not expand grouping defined under a nested augment |
VRVDR-47807 | Major | SIAD loses OSPFv3 neighbours periodically for 180s |
VRVDR-47624 | Blocker | PTP fails to start with PTP config present at bootup |
VRVDR-47481 | Critical | PTP with 2 slaves dataplane crash in bcm_ptp_unicast_slave_subscribe |
VRVDR-47391 | Blocker | PTP fails to return to time-locked state after master clock stopped and re-started |
VRVDR-47244 | Critical | dataplane crash on restart - no code changes |
VRVDR-41129 | Blocker | Journalbeat can't export logs to destination in routing instance |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-48074 | 9.8 | DSA-4506-1 | CVE-2018-20815, CVE-2019-13164, CVE-2019- 14378: Debian DSA-4506-1 : qemu - security update |
VRVDR-47707 | 7.8 | DSA-4484-1 | CVE-2019-13272: Debian DSA-4484-1: linux security update |
1801zf
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-50956 | Critical | VRRP goes into fault state after reboot |
VRVDR-49924 | Blocker | Commit failed in IPsec site-to-site configuration |
VRVDR-49760 | Major | VRRP Failover happens when one of the interfaces in bonding group is physically UP |
VRVDR-49737 | Major | GUI displays wrong/different information than CLI |
VRVDR-49707 | Major | vyatta-openvpn: code injection due to scripts in tmplscripts |
VRVDR-49584 | Minor | GRE over IPsec in transport mode (IKEv1) - responder intermittently replies "no acceptable traffic selectors found" |
VRVDR-49439 | Major | Path Monitor does not handle fractional ping loss correctly |
VRVDR-48145 | Critical | VRRP - Cores Generated by keepalived |
VRVDR-48067 | Minor | VPN commit returns "Warning: unable to [VPN toggle net.ipv4.conf.intf.disable_policy], received error code 65280" |
VRVDR-45071 | Critical | vyatta-security-vpn: vpn-config.pl: l2tp remote-access dhcp-interface "lo.tag;/tmp/bad.sh;echo " / code injection |
VRVDR-45069 | Critical | vyatta-security-vpn: set security vpn rsa-keys local-key file "/tmp/bad.sh;/tmp/bad.sh" / code injection |
VRVDR-45068 | Critical | vyatta-security-vpn: s2s tunnel protocol syntax script / code injection |
VRVDR-45067 | Critical | vyatta-security-vpn: set security vpn ipsec site-to-site peer $CODE / code injection |
VRVDR-45066 | Critical | vyatta-security-vpn: check_file_in_config passed unsanitized user input / code injection |
VRVDR-45065 | Critical | vyatta-security-vpn-secrets: code injection |
VRVDR-40303 | Critical | fsck doesn't seem to be running on boot |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-51236 | 8.6 | DSA-4689-1 | CVE-2019-6477, CVE-2020-8616, CVE-2020-8617: Debian DSA-4689-1 : bind9 - security update |
VRVDR-51142 | 5.5 | DSA-4685-1 | CVE-2020-3810: Debian DSA-4685-1 : apt - security update |
VRVDR-50886 | 8.8 | DSA-4670-1 | CVE-2018-12900, CVE-2018-17000, CVE-2018-17100, CVE-2018-19210, CVE-2019-7663, CVE-2019-14973, CVE-2019-17546 : Debian DSA-4670-1 : tiff - security update |
VRVDR-50851 | 7.5 | DSA-4666-1 | CVE-2020-12243: Debian DSA-4666-1 : openldap - security update |
VRVDR-50498 | 8.8 | DSA-4646-1 | CVE-2020-10531: Debian DSA-4646-1 : icu - security update |
VRVDR-50166 | 9.8 | DSA-4633-1 | CVE-2019-5436, CVE-2019-5481, CVE-2019-5482: Debian DSA-4633-1 : curl - security update |
VRVDR-50161 | 9.8 | DSA-4632-1 | CVE-2020-8597: Debian DSA-4632-1 : ppp - security update |
VRVDR-49834 | 7.8 | DSA-4614-1 | CVE-2019-18634: Debian DSA-4614-1 : sudo - security update |
VRVDR-49832 | 9.8 | DSA-4616-1 | CVE-2019-15890, CVE-2020-7039, CVE-2020-1711: Debian DSA-4616-1: qemu – security update |
VRVDR-49728 | N/A | DSA-4609-1 | CVE-2019-15795, CVE-2019-15796: Debian DSA-4609-1 : python-apt - security update |
VRVDR-49704 | 8.8 | DSA-4608-1 | CVE-2019-14973, CVE-2019-17546 : Debian DSA 4608-1 : tiff security update |
VRVDR-49642 | 9.8 | DSA-4602-1 | CVE-2019-17349, CVE-2019-17350, CVE-2019-18420, CVE-2019-18421, CVE-2019-18422, CVE-2019-18423, CVE-2019-18424, CVE-2019-18425, CVE-2019-19577, CVE-2019-19578, CVE-2019-19579, CVE-2019-19580, CVE-2019-19581, CVE-2019-19582, CVE-2019-19583, CVE-2018-12207, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-11135, CVE-2019-17348, CVE-2019-17347, CVE-2019-17346, CVE-2019-17345, CVE-2019-17344, CVE-2019-17343, CVE-2019-17342, CVE-2019-17341, CVE-2019-17340: Debian DSA-4602-1 : xen -security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad)(MLPDS/RIDL) (MSBDS/Fallout) |
VRVDR-49155 | 7.2 | N/A | CVE-2018-5265 : remote attackers able to execute arbitrary code with admin credentials |
VRVDR-49132 | 7.8 | DSA-4564-1 | CVE-2018-12207, CVE-2019-0154, CVE-2019-0155, CVE-2019-11135: Debian DSA-4564-1: linux – security update |
1801ze
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-49402 | Blocker | Non-GRE Tunnel intfs fail to come back to up state after toggling state |
VRVDR-49137 | Major | Syslog rate-limit not respected for above 65000 messages per interval |
VRVDR-48992 | Minor | Syslog generates message "Child xxxxx has terminated, reaped by main-loop" at wrong priority |
VRVDR-48719 | Minor | Perl traceback when deleting resources group address-group addressrange |
VRVDR-48705 | Major | High volume of csync logs causing firewall logs to be suppressed |
VRVDR-48585 | Major | ICMP Unreachable not returned when decrypted IPsec packet is too large to pass tunnel interface MTU |
VRVDR-48057 | Minor | Add additional IPsec debug support to tech-support |
VRVDR-47681 | Critical | Resetting a single VRRP group causes all VRRP groups to reset |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-49486 | 5.3 | DSA-4594-1 | CVE-2019-1551: Debian DSA-4594-1 : openssl1.0 - security update |
VRVDR-49477 | 7.5 | DSA-4591-1 | CVE-2019-19906: Debian DSA-4591-1 : cyrus-sasl2 - security update |
VRVDR-49450 | 9.8 | DSA-4587-1 | CVE-2019-15845, CVE-2019-16201, CVE-201916254, CVE-2019-16255: Debian DSA-4587-1 : ruby2.3 - security update |
VRVDR-48841 | 9.8 | DSA-4550-1 | CVE-2019-18218: Debian DSA-4550-1 : file - security update |
VRVDR-48691 | 7.5 | DSA-4544-1 | CVE-2019-16866: Debian DSA-4544-1: unbound security update |
VRVDR-48133 | 8.8 | DSA-4512-1 | CVE-2019-13164, CVE-2019-14378: Debian DSA4512-1: qemu – security update |
VRVDR-48132 | 7.5 | DSA-4511-1 | CVE-2019-9511, CVE-2019-9513: Debian DSA-45111: nghttp2 – security update |
VRVDR-47885 | 8.1 | DSA-4495-1 | CVE-2018-20836, CVE-2019-1125, CVE-2019-1999, CVE-2019-10207, CVE-2019-10638, CVE-201912817, CVE-2019-12984, CVE-2019-13233, CVE2019-13631, CVE-2019-13648, CVE-2019-14283, CVE-2019-14284: Debian DSA-4495-1: linux – security update |
1801zd
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-48717 | Major | Resources group address-group address-range entries do not work together with address entries |
VRVDR-48473 | Minor | Error getting Login User Id |
VRVDR-47596 | Minor | NAT used count is showing count larger than total available |
VRVDR-41091 | Minor | Off-by-one error in lcore id in copying rule stats |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-48746 | 9.8 | DSA-4547-1 | CVE-2018-10103, CVE-2018-10105, CVE-201814461, CVE-2018-14462, CVE-2018-14463, CVE2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467,CVE-2018-14468, CVE-201814469, CVE-2018-14470, CVE-2018-14879, CVE2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-201816229, CVE-2018-16230, CVE-2018-16300, CVE2018-16451, CVE-2018-16452, CVE-2019-15166: Debian DSA-4547-1: tcpdump – security update |
VRVDR-48652 | N/A | DSA-4543-1 | CVE-2019-14287: Debian DSA-4543-1 : sudo - security update |
VRVDR-48502 | 5.3 | DSA-4539-1 | CVE-2019-1547, CVE-2019-1549, CVE-2019-1563: Debian DSA-4539-1 : openssl - security update |
VRVDR-48446 | 6.7 | DSA-4535-1 | CVE-2019-5094: Debian DSA-4535-1 : e2fsprogs - security update |
1801zc
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-48148 | Major | Can't stat /var/run/gre" error seen on deleting erspan tunnel |
VRVDR-47842 | Minor | mGRE tunnel is not coming up after making address change at the spoke |
VRVDR-47816 | Major | NAT statistics not displaying in 'show tech-support save' output |
VRVDR-47601 | Major | VRRP retains MASTER when device is disabled due to license invalid/expired |
VRVDR-46829 | Minor | The reported timestamps in packet traces are not consistent with the actual time and system clock |
VRVDR-36174 | Major | A-Time in the output of, 'show vpn ike sa' is always 0 |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-48412 | 9.8 | DSA-4531-1 | CVE-2019-14821, CVE-2019-14835, CVE-201915117, CVE-2019-15118, CVE-2019-15902: Debian DSA-4531-1 : linux - security update |
VRVDR-47897 | 8.1 | DSA-4497-1 | CVE-2015-8553, CVE-2018-5995, CVE-2018-20836 , CVE-2018-20856, CVE-2019-1125, CVE-2019-3882, CVE-2019-3900, CVE-2019-10207, CVE-201910638, CVE-2019-10639, CVE-2019-13631, CVE-2019-13648, CVE-2019-14283, CVE-2019-14284: DSA-4497-1: Linux – security update |
1801zb
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-47924 | Major | BGP 'show' output for default-vrf not captured in 'show tech-support' |
VRVDR-47869 | Minor | L2TP/IPsec with x.509 authentication fails due to incorrect path to certificates |
VRVDR-47711 | Minor | changing 'syslog global facility all level' overwrites individual 'facility <> level' settings |
VRVDR-47710 | Major | nhrp overloads IPsec daemon communication |
VRVDR-47661 | Minor | L2TP in high availability pair will not allow connections after VRRP failover |
VRVDR-47606 | Major | Configuring "service https listen-address" bypasses the TLSv1.2 enforcement |
VRVDR-47543 | Blocker | Long Login Delay due to pam_systemd failed to create session |
VRVDR-47506 | Minor | ntpq segfault in ld-2.24.so |
VRVDR-47485 | Major | VRRP snmp MIB stops working when any configuration changes made to SNMP |
VRVDR-47381 | Major | When a vrrp vif is disabled the next change may prevent the interface from being displayed in 'show interfaces' |
VRVDR-47229 | Blocker | netplugd crash on configuration change |
VRVDR-46417 | Major | Dataplane is sending GRE packets sourced from non-exist VRRP VIP when router is BACKUP |
VRVDR-45396 | Critical | Shunt policy installation race |
VRVDR-42108 | Minor | After 25s ssh login delay 'systemctl --user status' fails with "Failed to connect to bus: No such file or directory" |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-47707 | 7.8 | DSA-4484-1 | CVE-2019-13272: Debian DSA-4484-1: linux security update |
VRVDR-37993 | 5.0 | N/A | CVE-2013-5211: Network Time Protocol (NTP) Mode 6 Scanner |
1801za
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-47387 | Major | NAT statistics displaying unrealistic usage values |
VRVDR-47345 | Minor | Syslog rate-limiting does not take effect when configured |
VRVDR-47290 | Minor | SNMP agent memory cleanup issue on interface scans for ipAddrTable GET/GETNEXT fetch requests |
VRVDR-47224 | Minor | OSPF debug logs are incorrectly showing when logging level is set to info |
VRVDR-47222 | Minor | GUI not responding after RO users login |
VRVDR-47179 | Major | “Update config-sync” overwrites IPsec pre-shared secret key with masked value of asterisks if run by different user than the one used for config-sync itself |
VRVDR-47066 | Major | Configuration change to a site-to-site or DMVPN may cause IKE negotiation to fail with INVAL_ID for IKEv1 or TS_UNACCEPT for IKEv2 |
VRVDR-47001 | Minor | MTU value changes on VIF/VRRP interface after restart or reboot - cosmetic |
VRVDR-46991 | Minor | “Show tech-support save” should include additional debug detail for site-to-site configs |
VRVDR-46775 | Major | Modifying the tunnel configuration of an IPsec peer that uses multiple VFP interfaces may cause an active tunnel to become stale |
VRVER-45230 | Blocker | Massive memory leak with SNMP polling |
VRVDR-39747 | Major | Incorrectly reported total available SNAT entries when configuring translation address/mask directly |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-47586 | N/A | DSA-4477-1 | CVE-2019-13132: Debian DSA-4477-1: zeromq3 security update |
VRVDR-47573 | 7.4 | DSA-4475-1 | CVE-2019-1543: Debian DSA-4475-1 : openssl - security update |
VRVDR-47532 | 9.8 | DSA-4465-1 | CVE-2019-3846, CVE-2019-5489, CVE-2019-9500, CVE-2019-9503, CVE-2019-10126, CVE-201911477, CVE-2019-11478, CVE-2019-11479, CVE2019-11486, CVE-2019-11599, CVE-2019-11815, CVE-2019-11833, CVE-2019-11884: Debian DSA4465-1: Linux – security update |
VRVDR-47497 | 7.5 | DSA-4472-1 | CVE-2018-20843: Debian DSA-4472-1 : expat - security update |
VRVDR-47389 | N/A | DSA-4467-2 | CVE-2019-12735: Debian DSA-4467-2: vim regression update |
VRVDR-47388 | N/A | DSA-4469-1 | CVE-2019-10161, CVE-2019-10167: Debian DSA4469-1: libvirt security update |
VRVDR-47363 | 8.6 | DSA-4467-1 | CVE-2019-12735: Debian DSA-4467-1 : vim - security update |
VRVDR-47358 | 9.8 | N/A | CVE-2016-10228, CVE-2017-12132, CVE-20181000001, CVE-2018-6485, CVE-2017-15670, CVE2017-15671, CVE-2017-15804, CVE-2017-12133, CVE-2017-16887, CVE-2017-1000366, CVE-20155180, CVE-2016-6323, CVE-2016-10228: glibc package update |
VRVDR-47293 | 7.1 | DSA-4462-1 | CVE-2019-12749: Debian DSA-4462-1 : dbus - security update |
VRVDR-47202 | N/A | DSA-4454-2 | Debian DSA-4454-2: qemu regression update |
1801z
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-46941 | Minor | Traffic that has SNAT session is filtered using stateless ZBF on return |
VRVDR-46659 | Major | I350 intfs with mtu 9000 remains stuck at u/D state on upgrade from 1808* to 1903a |
VRVDR-46623 | Minor | Firewall 'description' logs a perl error on commit when the description has more than one word |
VRVDR-46549 | Critical | Shell injection privilege escalation/sandbox escape in show ip route routing-instance <name> variance command |
VRVDR-46389 | Major | BGP configuration changes may not take effect if applied after (re)boot |
VRVDR-45949 | Minor | Netflow generates a NOTICE log for every sample sent when certain non-key fields are configured |
VRVDR-43169 | Minor | Logging everytime one calls a configd C based API but doesn't supply an error struct is no longer useful |
VRVDR-41225 | Minor | When configuring interface description, every white space is treated as a new line |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-46824 | N/A | DSA-4440-1 | CVE-2018-5743, CVE-2018-5745, CVE-2019-6465: Debian DSA-4440-1 : bind9 - security update |
VRVDR-46603 | 5.3 | DSA-4435-1 | CVE-2019-7317: Debian DSA-4435-1 : libpng1.6 - security update |
VRVDR-46425 | N/A | DSA-4433-1 | CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325: Debian DSA-4433-1 : ruby2.3 - security update |
VRVDR-46350 | 9.1 | DSA-4431-1 | CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861, CVE-2019-3862, CVE-2019-3863: Debian DSA-4431-1 : libssh2 - security update |
1801y
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-46029 | Major | VRRP authentication either with simple text password or AH type does not work properly |
VRVDR-45864 | Critical | Shell injection privilege escalation/sandbox escape in vyatta-techsupport remote copy |
VRVDR-45748 | Major | Missing checks for zmsg_popstr returning a NULL pointer causing connsync to crash dataplane |
VRVDR-45740 | Minor | 'generate tech-support archive' should not aggregate all existing archives |
VRVDR-45720 | Major | vrrp gets stuck waiting for a packet when start_delay used with only a single router |
VRVDR-45655 | Critical | "PANIC in rte_mbuf_raw_alloc" when performing VRRP failover |
VRVDR-45059 | Major | null deref in sip_expire_session_request |
VRVDR-41419 | Major | Static Analysis dataplane fixes |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-46139 | 7.0 | DSA-4428-1 | CVE-2019-3842: Debian DSA-4428-1 : systemd - security update |
VRVDR-46087 | N/A | DSA-4425-1 | CVE-2019-5953: Debian DSA-4425-1 : wget - security update |
VRVDR-45897 | 7.5 | DSA-4416-1 | CVE-2019-5716, CVE-2019-5717, CVE-2019-5718, CVE-2019-5719, CVE-2019-9208, CVE-2019-9209, CVE-2019-9214: Debian DSA-4416-1 : wireshark - security update |
VRVDR-45553 | 5.9 | DSA-4400-1 | CVE-2019-1559: Debian DSA-4400-1 : openssl1.0 - security update |
VRVDR-45549 | 6.5 | DSA-4397-1 | CVE-2019-3824: Debian DSA-4397-1 : ldb - security update |
VRVDR-45347 | 6.8 | DSA-4387-1 | CVE-2018-20685, CVE-2019-6109, CVE-2019-6111: Debian DSA-4387-1 : openssh - security update |
The following commands have been deprecated from this patch and are no longer available: • policy route pbr <name> rule <rule-number> application name <name>
• policy route pbr <name> rule <rule-number> application type <type>
• policy qos name <policy-name> shaper class <class-id> match <match-name> application name <name>
• policy qos name <policy-name> shaper class <class-id> match <match-name> application type <type>
• security application firewall name <name> rule <rule-number> name <app-name>
Running any of these commands will result with the error message “This feature is disabled.”
1801w
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-45672 | Critical | The RSA private key at /opt/vyatta/etc/config/ipsec.d/rsakeys/localhost.key has wrong permissions |
VRVDR-45591 | Critical | Interface IP MTU change not taking effect for Intel x710 NICs |
VRVDR-45466 | Minor | IPv6 address not abbreviated when config is loaded via PXE boot causing config-sync issues |
VRVDR-45414 | Minor | Vyatta-cpu-shield fails to start and throws OSError:[Errno 22] Invalid argument for various cores on a two socket system |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-45253 | 7.5 | DSA-4375-1 | CVE-2019-3813: Debian DSA 4375-1: spice - security update |
VRVDR-44922 | 7.5 | DSA-4355-1 | CVE-2018-0732, CVE-2018-0734, CVE-2018-0737, CVE-2018-5407: Debian DSA-4355-1 : openssl1.0 - security update |
VRVDR-43936 | 7.5 | DSA-4309-1 | CVE-2018-17540: Debian DSA-4309-1 : strongswan - security update |
1801v
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-45175 | Critical | Rsyslogd core dump when VRFs configured |
VRVDR-45057 | Critical | IPsec VTI tunnel interface in A/D state after initially coming up, IPsec SA remain UP |
VRVDR-44985 | Major | DNAT and Input Firewall logging / order of operation |
VRVDR-44944 | Critical | vyatta-config-vti.pl: Unsafe temporary file usage |
VRVDR-44941 | Minor | Static route missing in kernel due to brief VTI interface flap |
VRVDR-44914 | Critical | RPC ALG crash on both members of HA pair |
VRVDR-44668 | Major | With production traffic flow-monitoring stalls and stops reporting netflow statistics |
VRVDR-44667 | Minor | The interface order is not consistent between executions of 'show flow-monitoring' |
VRVDR-44657 | Major | IKEv1 re-key collision causes VTI interface to stay down when tunnels are up |
VRVDR-44560 | Major | Multiple rcu_sched CPU stalls pointing to ip_gre driver |
VRVDR-44517 | Minor | Dataplane crashes with panic in rte_ipv6_fragment_packet |
VRVDR-44282 | Major | Issue deleting /32 mask when both address with /32 mask and without are present together in address group |
VRVDR-44278 | Minor | "show address-group all ipv4 optimal" not producing any output |
VRVDR-44239 | Major | Request to enhance Web GUI verbiage for protocol drop-down when 'all' protocols are required |
VRVDR-44076 | Major | memory-leak in flow-monitoring leading to dataplane seg-fault and outage |
VRVDR-44007 | Critical | Dataplane segmentation fault at npf_dataplane_session_establish |
VRVDR-43909 | Minor | Connsync causes interfaces to go down after "restart vrrp" |
VRVDR-42679 | Major | syslog - crash in zactor_is |
VRVDR-42020 | Major | RIB stuck adding same route over and over again |
VRVDR-18095 | Minor | Flow monitoring stats is not captured as part of 'show tech-support' |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-45148 | N/A | DSA-4371-1 | CVE-2019-3462: Debian DSA-4371-1 – apt security update |
VRVDR-45043 | 8.8 | DSA-4369-1 | CVE-2018-19961, CVE-2018-19962, CVE-2018- 19965, CVE-2018-19966, CVE-2018-19967: DSA 4369-1 - Xen security update |
VRVDR-45042 | N/A | DSA-4368-1 | CVE-2019-6250: Debian DSA-4368-1 : zeromq3 - security update |
VRVDR-45035 | N/A | DSA-4367-1 | CVE-2018-16864, CVE-2018-16865, CVE-2018- 16866: Debian DSA-4367-1 : systemd - security update |
VRVDR-44956 | 7.5 | DSA-4359-1 | CVE-2018-16864, CVE-2018-16865, CVE-2018- 16866: Debian DSA-4367-1 : systemd - security updateCVE-2018-12086, CVE-2018-18225, CVE-2018- 18226, CVE-2018-18227, CVE-2018-19622, CVE- 2018-19623, CVE-2018-19624, CVE-2018-19625, CVE-2018-19626, CVE-2018-19627, CVE-2018- 19628: Debian DSA-4359-1 : wireshark - security update |
VRVDR-44747 | N/A | DSA-4350-1 | CVE-2018-19788: Debian DSA-4350-1 : policykit-1 - security update |
VRVDR-44634 | 8.8 | DSA-4349-1 | CVE-2017-11613, CVE-2017-17095, CVE-2018- 10963, CVE-2018-15209, CVE-2018-16335, CVE- 2018-17101, CVE-2018-18557, CVE-2018-5784, CVE-2018-7456, CVE-2018-8905:Debian DSA-4349- 1 : tiff - security update |
VRVDR-44633 | 7.5 | DSA-4348-1 | CVE-2018-0732, CVE-2018-0734, CVE-2018-0735, CVE-2018-0737, CVE-2018-5407: Debian DSA-4348- 1 : openssl - security update |
VRVDR-44611 | 9.8 | DSA-4347-1 | CVE-2018-18311, CVE-2018-18312, CVE-2018- 18313, CVE-2018-18314: Debian DSA-4347-1 : perl - security update |
VRVDR-44348 | 9.8 | DSA-4338-1 | CVE-2018-10839, CVE-2018-17962, CVE-2018- 17963: Debian DSA-4338-1: qemu security update |
VRVDR-43264 | 5.6 | DSA-4274-1 | CVE-2018-3620, CVE-2018-3646: Debian DSA-4274- 1: xen security update |
1801u
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-44406 | Critical | With multiple subnet on same VIF low rate of transit traffic observed when compared to 5400 performance |
VRVDR-44253 | Minor | MSS clamping on bonding interface stops functioning after reboot |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-44277 | N/A | DSA-4332-1 | CVE-2018-16395, CVE-2018-16396: Debian DSA-4332-1 : ruby2.3 - security update |
VRVDR-44276 | N/A | DSA-4331-1 | CVE-2018-16839, CVE-2018-16842: Debian DSA-4331-1 : curl - security update |
1801t
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-44172 | Blocker | Error “interfaces [openvpn] is not valid” reported in mss-clamp tests |
VRVDR-43969 | Minor | Vyatta 18.x GUI reports the wrong status check memory usage |
VRVDR-43847 | Major | Slow throughput for TCP conversations on bonding interface |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-43842 | N/A | DSA-4305-1 | CVE-2018-16151, CVE-2018-16152: Debian DSA4305-1: strongswan – security update |
1801s
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-44041 | Major | SNMP ifDescr oid slow response time |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-44074 | 9.1 | DSA-4322-1 | CVE-2018-10933: Debian DSA-4322-1: libssh – security update |
VRVDR-44054 | 8.8 | DSA-4319-1 | CVE-2018-10873: Debian DSA-4319-1: spice – security update |
VRVDR-44038 | N/A | DSA-4315-1 | CVE-2018-16056, CVE-2018-16057, CVE-2018- 16058: Debian DSA-4315-1: wireshark – security update |
VRVDR-44033 | N/A | DSA-4314-1 | CVE-2018-18065: Debian DSA-4314-1: net-snmp – security update |
VRVDR-43922 | 7.8 | DSA-4308-1 | CVE-2018-6554, CVE-2018-6555, CVE-2018-7755, CVE-2018-9363, CVE-2018-9516, CVE-2018-10902, CVE-2018-10938, CVE-2018-13099, CVE-2018- 14609, CVE-2018-14617, CVE-2018-14633, CVE- 2018-14678, CVE-2018-14734, CVE-2018-15572, CVE-2018-15594, CVE-2018-16276, CVE-2018- 16658, CVE-2018-17182: Debian DSA-4308-1: linux – security update |
VRVDR-43908 | 9.8 | DSA-4307-1 | CVE-2017-1000158, CVE-2018-1060, CVE-2018- 1061, CVE-2018-14647: Debian DSA-4307-1: python3.5 - security update |
VRVDR-43884 | 7.5 | DSA-4306-1 | CVE-2018-1000802, CVE-2018-1060, CVE-2018- 1061, CVE-2018-14647: Debian DSA-4306-1: python2.7 - security update |
1801r
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-43738 | Major | ICMP Unreachable packets returned through SNAT session are not delivered |
VRVDR-43538 | Major | Receive oversize errors on bondinginterface |
VRVDR-43519 | Major | Vyatta-keepalived is running with no config present |
VRVDR-43517 | Major | Traffic fails when endpoint of VFP/Policy-based IPsec resides on the vRouter itself |
VRVDR-43477 | Major | Committing the IPsec VPN configuration returns the warning “Warning: unable to [VPN toggle net.ipv4.conf.intf.disable_policy], received error code 65280 |
VRVDR-43379 | Minor | NAT statistics incorrectly shown |
Security Vulnerabilities Resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-43837 | 7.5 | DSA-4300-1 | CVE-2018-10860: Debian DSA-4300-1: libarchive-zip-perl –security update |
VRVDR-43693 | N/A | DSA-4291-1 | CVE-2018-16741: Debian DSA-4291-1: mgetty –security update |
VRVDR-43578 | N/A | DSA-4286-1 | CVE-2018-14618: Debian DSA-4286-1: curl -security update |
VRVDR-43326 | N/A | DSA-4280-1 | CVE-2018-15473: Debian DSA-4280-1: openssh -security update |
VRVDR-43198 | N/A | DSA-4272-1 | CVE-2018-5391: Debian DSA-4272-1: linux security update (FragmentSmack) |
VRVDR-43110 | N/A | DSA-4265-1 | Debian DSA-4265-1 : xml-security-c -security update |
VRVDR-43057 | N/A | DSA-4260-1 | CVE-2018-14679, CVE-2018-14680, CVE-2018-14681, CVE-2018-14682: Debian DSA-4260-1 : libmspack -security update |
VRVDR-43026 | 9.8 | DSA-4259-1 | Debian DSA-4259-1 : ruby2.3 -security updateVRVDR-42994N/ADSA-4257-1CVE-2018-10906: Debian DSA-4257-1 :fuse -security update |
1801q
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-43531 | Major | Boot on 1801p results in kernel panic within roughly 40 seconds |
VRVDR-43104 | Critical | Fake Gratuitous ARP over DHCP network when IPsec is enabled |
VRVDR-41531 | Major | IPsec continues to attempt to use VFP interface after unbinding it |
VRVDR-43157 | Minor | When tunnel bounces SNMP trap is not properly generated. |
VRVDR-43114 | Critical | Upon reboot, a router in an HA pair with a higher priority than its peer does not honor its own “preempt false” configuration and becomes the master immediately following the boot |
VRVDR-42826 | Minor | With remote-id “0.0.0.0” peer negotiation fails due to pre-shared-key mismatch |
VRVDR-42774 | Critical | X710 (i40e) driver sending flow control frames at a very high rate |
VRVDR-42635 | Minor | BGP redistribute route-map policy change does not take effect |
VRVDR-42620 | Minor | Vyatta-ike-sa-daemon throws error “Command failed: establishing CHILD_SA passthrough-peer” while tunnel appears to be up |
VRVDR-42483 | Minor | TACACS authentication failing |
VRVDR-42283 | Major | VRRP state changes to FAULT for all interfaces when a vif interface ip is deleted |
VRVDR-42244 | Minor | Flow-monitoring only exports 1000 samples to collector |
VRVDR-42114 | Critical | HTTPS service MUST NOT expose TLSv1 |
VRVDR-41829 | Major | Dataplane core dumps until system becomes unresponsive with SIP ALG soak test |
VRVR-41683 | Blocker | DNS name server address learned over VRF is not consistently recognized |
VRVDR-41628 | Minor | Route/prefix from router-advertisement active in kernel and data plane but ignored by RIB |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-43288 | 5.6 | DSA-4279-1 | CVE-2018-3620, CVE-2018-3646: Debian DSA-4279- 1 – Linux security update |
VRVDR-43111 | N/A | DSA-4266-1 | CVE-2018-5390, CVE-2018-13405: Debian DSA- 4266-1 – Linux security update |
1801n
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-42588 | Minor | Sensitive routing protocol configuration inadvertently leaked in system log |
VRVDR-42566 | Critical | After upgrading from 17.2.0h to 1801m, a day later multiple reboots occurred on both HA members |
VRVDR-42490 | Major | VTI-IPSEC IKE SAs fail around a minute after VRRP transition |
VRVDR-42335 | Major | IPSEC: remote-id “hostname” behavior changes from 5400 to 5600 |
VRVDR-42264 | Critical | No connectivity over SIT tunnel – “kernel: sit: non-ECT from 0.0.0.0 with TOS=0xd” |
VRVDR-41957 | Minor | Bi-directional NAT’ed packets too large for GRE fail to return ICMP Type 3 Code 4 |
VRVDR-40283 | Major | Configuration changes generate lots of log messages |
VRVDR-39773 | Major | Using a route-map with BGP vrrp-failover command can cause all prefixes to be withdrawn |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-42505 | N/A | DSA-4236-1 | CVE-2018-12891, CVE-2018-12892, CVE-2018-12893: Debian DSA-4236-1: xen - security update |
VRVDR-42427 | N/A | DSA-4232-1 | CVE-2018-3665: Debian DSA 4232-1: xen - security update |
VRVDR-42383 | N/A | DSA-4231-1 | CVE-2018-0495: Debian DSA-4231-1: libgcrypt20 - security update |
VRVDR-42088 | 5.5 | DSA-4210-1 | CVE-2018-3639: Debian DSA-4210-1: xen – security update |
VRVDR-41924 | 8.8 | DSA-4201-1 | CVE-2018-8897, CVE-2018-10471, CVE-2018-10472, CVE-2018-10981, CVE-2018-10982: Debian DSA-4201- 1: xen – security update |
1801m
Released June 15, 2018.
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-42256 | Critical | No outbound traffic if latest established CHILD_SA gets deleted |
VRVDR-42084 | Blocker | NAT sessions linked to VFP interfaces for PB IPsec tunnels are not being created for packets that arrive on the router even though the router is configured to do so |
VRVDR-42018 | Minor | When “restart vpn” is run, an “IKE SA daemon: org.freedesktop.DBus.Error.Service.Unknown” error is thrown |
VRVDR-42017 | Minor | When “show vpn ipsec sa” is running on VRRP backup, “ConnectionRefusedError” error is thrown related to vyatta-op-vpn- ipsec-vici line 563 |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR- 42317 | 5.4 | DSA-4226-1 | CVE-2018-12015: Debian DSA-4226-1: perl – security update |
VRVDR- 42284 | 7.5 | DSA-4222-1 | CVE-2018-12020: Debian DSA-4222-1: gnupg2 – security update |
1801k
Released June 8, 2018.
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-42084 | Blocker | NAT sessions linked to VFP interfaces for PB IPsec tunnels are not being created for packets that arrive on the router even though the router is configured to do so |
VRVDR-41944 | Major | After VRRP fail-over some VTI tunnels fail to re-establish until a “vpn restart” or peer reset is issued |
VRVDR-41906 | Major | PMTU discovery fails as ICMP type 3 scode 4 messages are sent out from wrong source IP |
VRVDR-41558 | Major | The reported timestamps in packet traces are not consistent with the actual time and system clock |
VRVDR-41469 | Major | One interface link down – bond is not carrying traffic |
VRVDR-41420 | Major | LACP bonding state/link “u/D” with mode change active-backup to LACP |
VRVDR-41313 | Critical | IPsec – VTI interface instability |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR- 42207 | 7.5 | DSA-4217-1 | CVE-2018-11358, CVE-2018-11360, CVE-2018-11362, CVE- 2018-7320, CVE-2018-7334, CVE-2018-7335, CVE02018- 7419, CVE-2018-9261, CVE-2018-9264, CVE-2018-9273: Debian DSA-4217-1: wireshark – security update |
VRVDR- 42013 | N/A | DSA-4210-1 | CVE-2018-3639: Speculative execution, variant 4: speculative store bypass / Spectre v4 / Spectre-NG |
VRVDR- 42006 | 9.8 | DSA-4208-1 | CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018- 1125, CVE-2018-1126: Debian DSA-4208-1: procps – security update |
VRVDR- 41946 | N/A | DSA-4202-1 | CVE-2018-1000301: Debian DSA-4202-1: curl – security update |
VRVDR- 41795 | 6.5 | DSA-4195-1 | CVE-2018-0494: Debian DSA-4195-1: wget – security update |
1801j
Released May 18, 2018
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-41481 | Minor | VRRP on bond interface does not send VRRP advertisement |
VRVDR-39863 | Major | VRRP fails over when customer removes routing-instance with GRE associated and tunnel local-address is part of VRRP |
VRVDR-27018 | Critical | Running configuration file is globally readable |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR-41680 | 7.8 | DSA-4188-1 | Debian DSA-4188-1: linux – security update |
1801h
Released May 11, 2018.
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-41664 | Critical | Dataplane drops MTU sized ESP packets |
VRVDR-41536 | Minor | Dnsmasq service start-init limit hit when adding more than 4 static host entries if dns forwarding is enabled |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR- 41797 | 7.8 | DSA-4196-1 | CVE-2018-1087, CVE-2018-8897: Debian DSA-4196-1: linux security update |
1801g
Released May 4, 2018.
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-41620 | Major | vTI interface traffic stops sending traffic after new vIF is added |
VRVDR-40965 | Major | Bonding does not recover after a data plane crash |
1801f
Released April 23, 2018
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-41537 | Minor | Ping is not working over IPsec tunnel on 1801d |
VRVDR-41283 | Minor | Configd stops processing static routes during boot if the configuration has disabled static routes |
VRVDR-41266 | Major | Static route leaking to VRF does not transit traffic across mGRE tunnel after reboot |
VRVDR-41255 | Major | When slave goes down it takes over 60s for master link state to reflect that |
VRVDR-41252 | Major | With unbound VTI in zone-policy, drop rule is bypassed depending on commit order of zone rules |
VRVDR-41221 | Critical | Upgrading vRouters from 1801b to 1801c to 1801d with 10% failure rate |
VRVDR-40967 | Major | Disabling IPv6 forwarding prevents routing of VTI sourced IPv4 packets |
VRVDR-40858 | Major | VTI interface showing MTU 1428 causing TCP PMTU issues |
VRVDR-40857 | Critical | Vhost-bridge does not come up for tagged VLAN with interface names of a certain length |
VRVDR-40803 | Minor | VIF interfaces are not present in “show vrrp” output after a reboot |
VRVDR-40644 | Major | IKEv1: QUICK_MODE re-transmits are not handled correctly |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR- 41512 | 9.8 | DSA-4172-1 | CVE-2018-6797, CVE-2018-6798, CVE-2018-6913: Debian DSA-4172-1: perl – security update |
VRVDR- 41331 | 6.5 | DSA-4158-1 | CVE-2018-0739: Debian DSA-4158-1: openssl1.0 – security update |
VRVDR- 41330 | 6.5 | DSA-4157-1 | CVE-2017-3738, CVE-2018-0739: Debian DSA-4157-1: openssl – security update |
VRVDR- 41215 | 6.1 | CVE-2018-1059 | CVE-2018-1059 – DPDK vhost out of bound host memory access from VM guests |
1801e
Released March 28, 2018.
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-39985 | Minor | TCP DF packets larger than GRE tunnel MTU are dropped with no ICMP fragmentation needed returned |
VRVDR-41088 | Critical | Extended (4 byte) ASN not represented internally as unsigned type |
VRVDR-40988 | Critical | Vhost not starting when used with certain number of interfaces |
VRVDR-40927 | Critical | DNAT: SDP in SIP 200 OK not translated when it follows a 183 response |
VRVDR-40920 | Major | With 127.0.0.1 as listen-address snmpd does not start |
VRVDR-40920 | Critical | ARP doesn’t work over bonded SR-IOV interface |
VRVDR-40294 | Major | Dataplane doesn’t restore previous queues after slave is removed from bonding group |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR- 41172 | N/A | DSA-4140-1 | DSA 4140-1: libvorbis security update |
1801d
Released March 8, 2018.
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-40940 | Major | Data plane crash related to NAT/firewall |
VRVDR-40886 | Major | Combining icmp name <value> with a number of other configurations for the rule will cause firewall to not load |
VRVDR-39879 | Major | Configuring bonding for jumbo frames fails |
Security vulnerabilities resolved
Issue Number | CVSS score | Advisory | Summary |
---|---|---|---|
VRVDR- 40327 | 9.8 | DSA-4098-1 | |
VRVDR- 39907 | 7.8 | CVE-2017-5717 | Branch target injection / CVE-2017-5715 / Spectre, aka variant #2 |
1801c
Released March 7, 2018.
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-40281 | Major | After upgrading from 5.2 to more recent version error “-vbash: show: command not found” in operation mode |
1801b
Released February 21, 2018.
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-40622 | Major | Cloud-init images fail to detect correctly if IP address has been obtained from DHCP server |
VRVDR-40613 | Critical | Bond interface does not come up if one of the physical links is down |
VRVDR-40328 | Major | Cloud-init images take a long time to boot |
1801a
Released February 7, 2018.
Issues resolved
Issue Number | Priority | Summary |
---|---|---|
VRVDR-40324 | Major | Load averages exceed 1.0 with no load on router with bonding interface |