If you are using the current version of Cumulus Linux, the content on this page may not be up to date. The current version of the documentation is available here. If you are redirected to the main page of the user guide, then this page may have been renamed; please search for it there.

Cumulus Linux 4.3 Release Notes

Download 4.3 Release Notes xls    Download all 4.3 release notes as .xls

4.3.2 Release Notes

Open Issues in 4.3.2

Issue IDDescriptionAffectsFixed
3773177
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
4.0.0-4.4.5, 5.0.0-5.8.0
3684998
DHCP lease information is not collected in the cl-support file.4.3.0-5.6.05.7.0-5.8.0
3647424
None
When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration.4.3.0-5.5.15.6.0-5.8.0
3488136
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command.4.2.1-5.5.15.6.0-5.8.0
3474391
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB.4.3.1-5.5.15.6.0-5.8.0
3429530
On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time.4.2.1-5.4.05.5.0-5.8.0
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.8.0
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.8.0
3321391
None
On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the sensor command output.4.2.1-5.3.15.4.0-5.8.0
3291548
None
In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd.4.2.1-4.4.55.0.0-5.8.0
3218207
None
Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes.4.3.0-5.2.15.3.0-5.8.0
3216921
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-3.7.16, 4.3.0-4.4.5
3216759
None
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-3.7.16, 4.3.0-4.4.5
3168564
In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled.
4.3.1-4.4.5
3163845
If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes.4.3.1-4.4.5
3138746
The switch duplicates DHCP packets that pass through the VTEP.4.3.0-5.1.05.2.0-5.8.0
3131423
During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command.4.3.0-5.1.05.2.0-5.8.0
3129819
On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime.3.7.15-3.7.16, 4.3.0-4.4.5
3119615
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic.3.7.15-5.1.05.2.0-5.8.0
3117340
When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command.4.3.0-5.1.05.2.0-5.8.0
3093966
On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules.3.7.15-3.7.16, 4.3.0-4.4.5
3093863
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command.3.7.16-4.4.34.4.4-4.4.5, 5.2.0-5.8.0
3089165
A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted.4.2.1-4.4.34.4.4-4.4.5
3084027
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware.4.3.0-4.4.5, 5.0.0-5.8.0
3073668
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap.3.7.12-3.7.16, 4.3.0-4.4.5
3072613
When you delete a bond interface with NCLU, BGP peer group configuration is removed.3.7.15-3.7.16, 4.3.0-4.4.5
3059135
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command.
4.3.0-5.1.05.2.0-5.8.0
3046023
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install.4.2.1-5.1.05.2.0-5.8.0
3007564
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed.3.7.15-5.0.15.1.0-5.8.0, 5.2.0-5.8.0
2999341
CVE-2021-3570The ptp4l program in linuxptp, an implementation of the Precision Time Protocol (PTP), does not validate the messageLength field of incoming messages, allowing a remote attacker to cause a denial of service, information leak, or potentially remote code execution
Fixed: 1.9.2-1+deb10u1
4.2.1-4.4.14.4.2-4.4.5
2968495
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it.4.2.1-4.4.24.4.3-4.4.5, 5.1.0-5.8.0
2961008
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces.3.7.15-4.4.2, 5.0.0-5.0.14.4.3-4.4.5, 5.1.0-5.8.0
2951110
The net show time ntp servers command does not show any output with the management VRF.3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.8.0
2940051
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16, 5.0.0-5.8.0
2902013
The NCLU commit command adds a five second delay.4.2.1-4.4.5
2896450
CM-31978
On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. To work around this issue, restart switchd a second or third time until all interfaces are functioning correctly, or reboot the switch.4.3.0-4.4.5
2893895
CM-33315
CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8
4.0.0-4.3.24.4.0-4.4.5, 5.1.0-5.8.0
2891255
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file.
Vulnerable: <= 2.6.20-0+deb10u1
Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.8.04.4.2-4.4.5
2890681
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.8.04.4.2-4.4.5
2866080
On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic.4.3.0-4.4.5
2854787
An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
4.3.0-4.3.24.4.0-4.4.5, 5.1.0-5.8.0
2854784
After building VLAN or VXLAN interfaces, MLAG becomes unstable.4.3.0-4.4.14.4.2-4.4.5, 5.0.0-5.8.0
2845531
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address.4.2.1-4.4.55.0.0-5.8.0
2838905
On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. To work around this issue, use the chrony implementation of NTP instead of ntpd. chrony synchronizes the system clock faster and with better accuracy
Instructions for using chrony are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/
4.3.0-4.4.5
2820565
SNMP does not start and you see errors similar to the following:
cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-10-11 14:38:13 UTC; 1min 8s ago
Process: 1987 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=exited, status=1/FAILURE)
Main PID: 1987 (code=exited, status=1/FAILURE)
To work around this issue, run the sudo systemctl restart snmpd.service command.
4.3.0-4.4.55.0.0-5.8.0
2803044
In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16
2794766
The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up.4.3.0-4.4.55.0.0-5.8.0
2792616
If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information.4.3.0-4.4.55.0.0-5.8.0
2783611
If you remove ports from a bridge and add IP addresses in one ifreload, connected routes are bound to the wrong routing information field.4.3.0-4.4.14.4.2-4.4.5
2782033
The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
More details at https://www.openssl.org/news/secadv/20210824.txt
Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7
4.0.0-4.4.14.4.2-4.4.5
2781537
In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD.4.3.0-4.4.55.0.0-5.8.0
2771871
IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address
This affects failed neighbor entries on routed interfaces that are not SVIs.
4.3.0-4.4.14.4.2-4.4.5
2771653
When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space.4.3.0-4.4.5
2754791
Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP.3.7.14.2-3.7.16, 4.3.0-4.4.5
2754691
CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking)
Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1
4.0.0-4.4.14.4.2-4.4.5
2754685
CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data
Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1
4.0.0-4.4.14.4.2-4.4.5
2754679
CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device
CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code
Vulnerable: <= 5.50-1.2~deb10u1Fixed: 5.50-1.2~deb10u2
4.0.0-4.4.14.4.2-4.4.5
2753955
On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails.4.2.1-4.4.55.0.0-5.8.0
2747605
CVE-2021-3246: a buffer overflow in libsndfile, a libraryfor reading/writing audio files, which could result in denial of serviceor potentially the execution of arbitrary code when processing amalformed audio file
Vulnerable: 1.0.28-6Fixed: 1.0.28-6+deb10u1
4.0.0-4.4.14.4.2-4.4.5
2743186
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish.3.7.15-5.1.05.2.0-5.8.0
2739690
CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure
Vulnerable: 1.24.1-1Fixed: 1.24.1-1+deb 10u1
4.0.0-4.4.14.4.2-4.4.5
2739639
CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST
Vulnerable: <= 1.17-3+deb10u1Fixed: 1.17-3+deb10u2
4.0.0-4.4.14.4.2-4.4.5
2739402
The destination MAC address of ERSPAN GRE packets is set to all zeros.4.3.0-4.4.55.0.0-5.8.0
2734122
CVE-2021-33910: The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memorycorruption, allowing to crash systemd and hence the entire operating system. Details can be found at https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt
Vulnerable: <= 241-7~deb10u7Fixed: 241-7~deb10u8
4.0.0-4.4.14.4.2-4.4.5
2734119
The ESI line in the show bgp l2vpn evpn route command output always shows VNI: 0. This is a cosmetic software issue.4.3.0-4.4.55.0.0-5.8.0
2734103
ACL [No More Resources] messages keep appearing and you can’t reinstall the ACL.4.3.0-5.1.05.2.0-5.8.0
2728207
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728206
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728205
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2728134
CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u5
Fixed: 2.4.47+dfsg-3+deb10u6
4.0.0-4.3.24.4.0-4.4.5
2728119
When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command.4.3.0-4.4.55.0.0-5.8.0
2713888
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-5.0.15.1.0-5.8.0
2711533
On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate.4.2.1-4.4.5
2710208
The net show bgp neighbor command output shows the BFD status as UP even when the BGP neighbor is not established, such as when the interface is down.4.2.1-4.4.5
2706744
In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event.4.3.0-4.4.14.4.2-4.4.5
2700767
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration.3.7.12-3.7.15, 4.3.0-4.4.53.7.16
2695526
CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2690017
When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can’t add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd.
4.3.0-4.3.24.4.0-4.4.5
2687159
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed
Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2685994
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
4.0.0-5.0.15.1.0-5.8.0
2682971
CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed
Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1
4.0.0-4.3.24.4.0-4.4.5
2682780
Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file.
4.2.0-4.3.24.4.0-4.4.5
2679950
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1
3.7.0-3.7.15, 4.0.0-4.3.23.7.16, 4.4.0-4.4.5
2671667
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4
4.0.0-4.3.24.4.0-4.4.5
2669873
In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE.4.3.0-4.3.24.4.0-4.4.5
2669858
CM-32169
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper.
3.7.14-3.7.16, 4.0.0-4.4.5
2669073
On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stopped
To work around this issue, start the MST service with the sudo mst start command.
4.3.0-4.3.24.4.0-4.4.5
2666838
CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code
Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2
4.0.0-4.3.24.4.0-4.4.5
2663479
CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption
Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2656527
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2648658
If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure.3.7.15-4.3.24.4.0-4.4.5
2644053
The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5
4.0.0-4.3.24.4.0-4.4.5
2639303
When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: ‘NoneType’ object has no attribute ‘conf_key_value_multiple_values’See /var/log/netd.log for more details.
4.3.0-4.4.5
2632379
When you upgrade the switch with apt-get upgrade, the kexec-tools package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly.4.3.0-4.3.24.4.0-4.4.5
2628515
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3
3.7.14-3.7.14.2, 4.3.0-4.3.23.7.15-3.7.16, 4.4.0-4.4.5
2618227
The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs.4.3.0-4.4.5
2617000
CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure
Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1
4.0.0-4.3.24.4.0-4.4.5
2616998
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2616987
CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image
Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2
4.0.0-4.3.24.4.0-4.4.5
2616976
Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers
CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file
CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection
CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port
CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION)
CVE-2020-8286: failure to verify that OSCP response matches intended certificate
CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header
CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check
Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2
4.0.0-4.3.24.4.0-4.4.5
2616967
CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack
Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3
4.0.0-4.3.24.4.0-4.4.5
2616964
CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service
Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2
4.0.0-4.3.24.4.0-4.4.5
2616954
CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service
Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6
4.0.0-4.3.24.4.0-4.4.5
2614016
The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module.4.2.0-4.3.24.4.0-4.4.5
2599274
On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown <bond_name> ; sleep 1 ; ifup <bond_name>.
4.3.0-4.4.55.0.0-5.8.0
2582639
On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap.4.3.0-4.3.24.4.0-4.4.5
2578872
CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service
Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2578870
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2
4.0.0-4.3.24.4.0-4.4.5
2577499
QSFP+ 40G optics do not work on Spectrum platforms.4.3.0-4.3.24.4.0-4.4.5
2574368
When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr.
4.1.1-4.4.5
2566880
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.3.7.14-3.7.14.2, 4.0.0-4.3.23.7.15-3.7.16, 4.4.0-4.4.5
2564534
Several vulnerabilities have been discovered in the GRUB2 bootloader
CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled
CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command
CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization
CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline
CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled
CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser
CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering.
4.0.0-4.3.24.4.0-4.4.5
2556782
CM-33398
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1
3.7.14-3.7.14.2, 4.0.0-4.3.23.7.15-3.7.16, 4.4.0-4.4.5
2556777
CM-33395
CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence.
Vulnerable: 4.6.2-3
Fixed: 4.6.2-3+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2556772
CM-33391
The net show clag verify-vlans command fails with the following log:

WARNING: ‘/usr/bin/clagctl verifyvlans’ failed due to:
Command ‘['/usr/bin/clagctl’, ‘verifyvlans’]’ returned non-zero exit status 1

To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command.
4.2.1-4.4.5
2556730
CM-33359
CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code.
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2
Fixed: 9.11.5.P4+dfsg-5.1+deb10u3
4.0.0-4.3.24.4.0-4.4.5
2556369
CM-33196
If you use NCLU to configure an ACL for eth0, you can’t designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.
To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with “-A INPUT -i eth0”.
4.2.1-4.4.5
2556082
CM-33050
The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
4.2.1-4.4.5
2556081
CM-33049
You cannot set the time zone can with NCLU commands.4.1.1-4.4.5
2555873
CM-32914
On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic.4.3.0-4.4.5
2555763
CM-32861
The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: — /run/nclu/frr/frr.conf.scratchpad.baseline 2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad 2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor.
4.3.0-4.4.5
2555613
CM-32786
The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen).
4.2.1-4.4.5
2555318
CM-32612
If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact.
4.3.0-4.4.5
2554986
CM-32416
The ethtool utility doesn’t contain the latest values, as a result the Revision Compliance field shows Unallocated.4.2.1-4.4.5
2554812
CM-32296
If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes.4.2.1-4.4.5
2554783
CM-32274
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes.
4.2.1-4.4.55.0.0-5.8.0
2554709
CM-32217
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM.
3.7.13-3.7.16, 4.2.1-4.4.5
2554670
CM-32194
When you have a large number of ACLs, the cl-acltool -L ip and cl-resource-query commands take a long time to complete.4.3.0-4.4.5
2554582
CM-32144
On switches with the Maverick ASIC, control traffic is dropped due to receive buffering.4.2.0-4.4.5
2554533
CM-32112
On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms).4.0.0-4.4.5
2554466
CM-32068
Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
4.2.1-4.4.5
2554299
CM-31962
In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart.4.2.0-4.3.24.4.0-4.4.5
2554222
CM-31921
The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
vxlan-id 30
bridge-access 30
bridge-arp-nd-suppress on
bridge-learning on
vxlan-local-tunnelip 10.10.10.1
mstpctl-bpduguard yes
mstpctl-portbpdufilter yes
mtu 9166
4.2.1-4.4.5
2554218
CM-31917
MLAG packets received on the peer link are dropped instead of routed.4.2.0-4.4.5
2554202
CM-31904
The output of the net show commit command does not show the last commit or the specified commit number but is empty instead.4.2.1-4.4.5
2553989
CM-31759
Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down.4.2.1-4.4.5
2553887
CM-31700
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server.
3.7.7-3.7.16, 4.0.0-4.4.5
2553677
CM-31605
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config –create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:
createUser userSHAwithAES SHA “shaauthpass” AES “aesprivpass”
adding the following line to /snmp/snmpd.conf:
rwuser userSHAwithAES
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation.
3.7.13-3.7.16, 4.0.0-4.4.5
2553237
CM-31418
The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

4.2.0-4.4.5
2553116
CM-31357
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.
3.7.12-3.7.16, 4.0.0-4.4.5
2553015
CM-31300
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.16, 4.2.0-4.4.5
2552691
CM-31111
On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port.
4.2.0-4.4.5
2552453
CM-30987
On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.
To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file.
4.2.0-4.4.5
2552309
CM-30889
The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:


Hal_bcm_console.c:294 MMU config profile 0 prigroup 0: Service Pool 0 has no space and cannot be assigned
Hal_bcm_console.c:294 MMU config port 0 idx 0: Pool 0 has no space and cannot be assigned


These messages are for internal validation purposes only and can be safely ignored.

4.2.0-4.4.5
2552294
CM-30879
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
3.7.12-3.7.16, 4.0.0-4.4.5
2552266
CM-30863
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.
-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.
Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.
If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.
To disable scp completely, use /bin/chmod 0 /usr/bin/scp .
3.7.14-3.7.16, 4.0.0-4.4.5
2551666
CM-30473
If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:

warning: : interface not recognized - please check interface configuration

4.1.0-4.4.5
2551578
CM-30422
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.16, 4.0.0-4.4.5
2551565
CM-30414
If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands.
3.7.13-3.7.16, 4.2.0-4.4.5
2551335
CM-30312
When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands.4.0.0-4.4.5
2551305
CM-30296
The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

3.7.12-3.7.16, 4.1.0-4.4.5
2551273
CM-30280
On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux.4.1.0-4.4.5
2551221
CM-30255
When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport’s IP address don’t reach switchport. To capture packets directed towards switcport’s IP, disable span-to-cpu and use tcpdump on swichport instead.4.2.0-4.4.5
2551111
CM-30230
If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address.
4.0.0-4.4.5
2550974
CM-30195
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.16, 4.1.1-4.4.5
2550793
CM-30101
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.16, 4.0.0-4.4.5
2550713
CM-30052
Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.
To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration.
4.1.1-4.4.5
2550704
On the Mellanox SN3420 switch, 25G SR optics only link up in force mode.4.3.0-4.3.24.4.0-4.4.5
2550642
CM-30006
ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches4.2.0-4.4.5
2550444
CM-29872
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.16, 4.0.0-4.4.5
2550443
CM-29871
The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.16, 4.0.0-4.4.5
2550243
CM-29759
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
3.7.12-3.7.16, 4.0.0-4.4.5
2550056
CM-29652
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue…
3.7.12-3.7.16, 4.1.1-4.4.5
2549925
CM-29594
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:

error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.16, 4.0.0-4.4.5
2549872
CM-29562
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.16, 4.1.1-4.4.5
2549782
CM-29519
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.16, 4.0.0-4.4.5
2549731
CM-29492
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1
3.7.12-3.7.16, 4.1.1-4.4.5
2549392
CM-29319
When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file.
To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command.
4.1.0-4.4.5
2549371
CM-29309
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.24.4.0-4.4.5
2548924
CM-29146
On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic.4.1.1-4.4.5
2548657
CM-29035
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.16, 4.0.0-4.4.5
2548579
The following security vulnerability has been announced:
CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
3.7.12, 4.0.0-4.4.53.7.13-3.7.16
2548315
CM-28816
The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.7.12-3.7.16, 4.0.0-4.4.5
2548310
CM-28812
When the system boots, we might see " cumulus systemd-udevd[7566]: Process ‘/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25’ failed with exit code 1" errors.

These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later;
4.1.0-4.4.5
2548260
CM-28770
The net add routing route-map permit set community command does not add the set statement into the /etc/frr/frr.conf file.4.0.0-4.4.5
2548243
CM-28754
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.16, 4.0.0-4.4.5
2548117
CM-28659
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX.3.7.12-3.7.16, 4.0.0-4.4.5
2548062
CM-28622
When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches).4.1.0-4.4.5
2548044
CM-28608
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor.3.7.12-3.7.15, 4.0.0-4.4.53.7.16
2547903
CM-28506
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs
Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1
4.0.0-4.4.5
2547890
CM-28497
QinQ across VXLAN on a traditional bridge does not work.4.1.0-4.4.5
2547782
CM-28441
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns.3.7.11-3.7.16, 4.0.0-4.4.5
2547706
CM-28397
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch.
3.7.11-3.7.16, 4.0.0-4.4.5
2547405
CM-28226
When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run ‘systemctl daemon-reload’.
4.0.0-4.4.5
2547120
CM-28076
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command.3.7.11-3.7.16, 4.0.0-4.4.5
2546991
CM-28003
The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.16, 4.0.0-4.4.5
2546895
CM-27957
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.16, 4.0.0-4.4.5
2546874
CM-27950
On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch.4.0.0-4.4.5
2546255
CM-27637
On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time.4.0.0-4.4.5
2546225
CM-27627
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
 
sudo onie-install -fai http://
sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image.
3.7.11-3.7.16, 4.0.0-4.4.5
2546131
CM-27581
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present.
3.7.11-3.7.16, 4.0.0-4.4.5
2545837
CM-27444
If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command.
3.7.10-3.7.11, 4.0.0-4.4.53.7.12-3.7.16
2545520
CM-27243
The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages.3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2545239
CM-27099
On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported.4.0.0-4.3.24.4.0-4.4.5
2545233
CM-27094
On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power.4.0.0-4.4.5
2545125
CM-27018
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.16, 4.0.0-4.4.5
2544978
CM-26921
If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.16, 4.0.0-4.4.5
2544968
CM-26913
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf”

should be:

sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf”

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.16, 4.0.0-4.4.5
2544957
CM-26907
NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge.4.0.0-4.4.5
2544953
CM-26905
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.16, 4.0.0-4.4.5
2544880
CM-26860
When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown.4.0.0-4.4.5
2544723
CM-26769
Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link.3.7.6-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2544463
CM-26599
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.16, 4.0.0-4.4.5
2544456
CM-26595
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.16, 4.0.0-4.4.5
2544311
CM-26516
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.16, 4.0.0-4.4.5
2544155
CM-26423
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

3.7.5-3.7.16, 4.0.0-4.4.5
2544113
CM-26412
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.16, 4.0.0-4.4.5
2543937
CM-26308
An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2.
3.7.8-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543915
CM-26301
When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unit
You can safely ignore this warning.
4.0.0-4.4.5, 5.0.0-5.8.0
2543900
CM-26288
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.16, 4.0.0-4.4.5
2543841
CM-26256
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
3.7.8-3.7.16, 4.0.0-4.4.5
2543816
CM-26241
On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
3.7.6-3.7.11, 4.0.0-4.4.53.7.12-3.7.16
2543781
CM-26217
NCLU does not allow you to configure OSPF NSSAs. For example:

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa
ERROR: Command not found.
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example:

switch# configure terminal
switch(config)# router ospf
switch(config-router)# area 0.0.0.1 nssa
3.7.7-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543724
CM-26179
If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:

ERROR: ‘ascii’ codec can’t encode character u'\xe9' in position 3: ordinal not in range(128)
See /var/log/netd.log for more details.
3.7.7-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543646
CM-26136
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.16, 4.0.0-4.4.5
2543401
CM-25986
On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish.
4.0.0-4.4.5
2543211
CM-25890
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
3.7.0-3.7.16, 4.0.0-4.4.5
2543164
CM-25859
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.16, 4.0.0-4.4.5
2543096
CM-25815
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
3.7.6-3.7.16, 4.0.0-4.4.5
2542945
CM-25740
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
3.7.6-3.7.16, 4.0.0-4.4.5
2542837
CM-25674
On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule.3.7.6-3.7.8, 4.0.0-4.4.53.7.9-3.7.16
2542305
CM-25400
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
3.7.6-3.7.16, 4.0.0-4.4.5
2542301
CM-25397
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
3.7.3-3.7.16, 4.0.0-4.4.5
2541212
CM-24894
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.16, 4.0.0-4.4.5
2541029
CM-24799
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.16, 4.0.0-4.4.5
2540753
CM-24618
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
 
ERROR: No closing quotation
See /var/log/netd.log for more details.

3.7.5-3.7.16, 4.0.0-4.4.5
2540444
CM-24473
SNMP incorrectly requires engine ID specification.
3.7.4-3.7.16, 4.0.0-4.4.5
2540352
CM-24435
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9
net add routing route-map Proxy-ARP permit 30 match interface swp10

3.7.2-3.7.16, 4.0.0-4.4.5
2540340
CM-24426
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf ip address
command works correctly.
3.7.4-3.7.16, 4.0.0-4.4.5
2540274
CM-24379
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.16, 4.0.0-4.4.5
2540204
CM-24350
When links come up after FRR is started, VRF connected routes do not get redistributed.3.7.4-3.7.16, 4.0.0-4.4.5
2540192
CM-24343
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.16, 4.0.0-4.4.5
2540155
CM-24332
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
3.7.3-3.7.16, 4.0.0-4.4.5
2540042
CM-24272
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface br0.100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# vrrp 1 advertisement-interval
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540041
CM-24271
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface vlan100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540040
CM-24270
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface swp4
switch(config-if)# vrrp 1 version 2
switch(config-if)# no vrrp 1 preempt
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540031
CM-24262
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist.
3.7.3-3.7.16, 4.0.0-4.4.5
2539994
CM-24241
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
 
cumulus@switch:~$ net del bgp neighbor fabric peer-group
‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’

3.7.2-3.7.16, 4.0.0-4.4.5
2539962
CM-24222
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.
3.7.0-3.7.16, 4.0.0-4.4.5
2539670
CM-24035
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
3.7.2-3.7.16, 4.0.0-4.4.5
2539124
CM-23825
The net add interface ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.16, 4.0.0-4.4.5
2538790
CM-23665
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.16, 4.0.0-4.4.5
2538590
CM-23584
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
3.7.2-3.7.16, 4.0.0-4.4.5
2538562
CM-23570
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.16, 4.0.0-4.4.5
2538294
CM-23417
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.16, 4.0.0-4.4.5
2537699
CM-23075
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
3.7.1-3.7.16, 4.0.0-4.4.5
2537544
CM-23021
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.16, 4.0.0-4.4.5
2536576
CM-22554
If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
4.0.0-4.4.5
2536384
CM-22386
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
3.7.0-3.7.16, 4.0.0-4.4.5
2536256
CM-22301
For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
 
A $INGRESS_CHAIN –in-interface $INGRESS_INTF -m addrtype –dst-type
IPROUTER -j POLICE –set-mode pkt –set-rate 400 –set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
4.0.0-4.4.5
2536242
CM-22287
On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes.4.0.0-4.4.5
2536179
CM-22228
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.16, 4.0.0-4.4.5
2535986
CM-22041
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart.
3.7.0-3.7.16, 4.0.0-4.4.5
2535965
CM-22020
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
3.7.0-3.7.16, 4.0.0-4.4.5
2535723
CM-21785
The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF.4.0.0-4.4.5
2535605
CM-21667
FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group.
4.0.0-4.4.5
2535209
CM-21278
The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment.
3.7.5-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2534734
CM-20813
Span rules matching the out-interface as a bond do not mirror packets.4.0.0-4.4.5
2533691
CM-19788
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.
3.7.12-3.7.16, 4.0.0-4.4.5
2533625
CM-19724
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.4.0.0-4.4.5
2533337
CM-19454
When you use NCLU to bring a bond admin down (net add bond link down), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.
To work around this issue, use the sudo ifdown command.
4.0.0-4.4.5
2531273
CM-17494
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.
To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information.
4.0.0-4.4.5

Fixed Issues in 4.3.2

Issue IDDescriptionAffects
3647731
None
CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that “agent forwarding should be enabled with caution”), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ‘')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.
4.0.0-4.3.1, 5.0.0-5.6.0
3544701
None
If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised.
5.0.0-5.5.1
3534654
On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge.4.3.1
3486888
None
If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database.4.3.0-4.3.1
3479967
When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf.4.3.1
3455998
When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command.4.3.1
3448171
If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot)
4.3.1
3434315
IPv6 BGP sessions in a VRF do not be establish with MD5 authentication.4.3.0-4.3.1
3419962
On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
4.3.1
3419953
If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file.4.3.1
3413826
None
During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors.4.2.1-4.3.1, 4.4.0-5.4.0
3410952
None
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-4.3.1
3401121
sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
4.3.0-4.3.1
3376798
On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected.
3.7.0-4.3.1
3366612
The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues.4.3.1
3364996
Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops.4.3.0-4.3.1
3336590
None
On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options.4.3.0-4.3.1
3334036
None
When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.3.1
3334031
None
When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.3.1
3319919
None
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-4.3.1, 4.4.0-5.3.1
3288385
On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs.4.3.1
3288343
None
When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below:
ip route 0.0.0.0/1 10.1.1.1ip route 128.0.0.0/1 10.1.1.1
4.3.1
3269538
None
The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
4.3.0-4.3.1
3267353
In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets.4.3.1
3244739
None
If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps.4.4.0-5.2.1
3236349
None
Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log.4.3.0-4.3.1
3235956
With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding.4.3.0-4.3.1
3234031
None
If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-4.3.1
3191517
None
When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes.4.3.0-4.3.1, 4.4.0-5.2.1
2555175
CM-32528
Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps.3.7.15-4.3.1

4.3.1 Release Notes

Open Issues in 4.3.1

Issue IDDescriptionAffectsFixed
3773177
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
4.0.0-4.4.5, 5.0.0-5.8.0
3684998
DHCP lease information is not collected in the cl-support file.4.3.0-5.6.05.7.0-5.8.0
3647731
None
CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that “agent forwarding should be enabled with caution”), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ‘')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.
4.0.0-4.3.1, 5.0.0-5.6.04.3.2-4.4.5, 5.7.0-5.8.0
3647424
None
When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration.4.3.0-4.4.5
3534654
On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge.4.3.14.3.2-4.4.5
3488136
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command.4.2.1-5.5.15.6.0-5.8.0
3486888
None
If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database.4.3.0-4.3.14.3.2-4.4.5, 5.6.0-5.8.0
3479967
When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf.4.3.14.3.2-4.4.5
3474391
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB.4.3.1-5.5.15.6.0-5.8.0
3455998
When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command.4.3.14.3.2-4.4.5
3448171
If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot)
4.3.14.3.2-4.4.5
3434315
IPv6 BGP sessions in a VRF do not be establish with MD5 authentication.4.3.0-4.3.14.3.2-4.4.5
3429530
On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time.4.2.1-5.4.05.5.0-5.8.0
3419962
On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
4.3.14.3.2-4.4.5
3419953
If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file.4.3.14.3.2-4.4.5
3413826
None
During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors.4.2.1-5.4.05.5.0-5.8.0
3410952
None
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.8.0
3401121
sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
4.3.0-4.3.14.3.2-4.4.5
3376798
On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected.
3.7.0-4.3.14.3.2-4.4.5
3366612
The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues.4.3.14.3.2-4.4.5
3364996
Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops.4.3.0-4.3.14.3.2-4.4.5
3336590
None
On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options.4.3.0-4.4.5
3334036
None
When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.3.14.3.2-4.4.5, 5.4.0-5.8.0
3334031
None
When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.3.14.3.2-4.4.5
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.8.0
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.8.0
3321391
None
On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the sensor command output.4.2.1-5.3.15.4.0-5.8.0
3319919
None
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-5.3.15.4.0-5.8.0
3291548
None
In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd.4.2.1-4.4.55.0.0-5.8.0
3288385
On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs.4.3.14.3.2-4.4.5
3288343
None
When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below:
ip route 0.0.0.0/1 10.1.1.1ip route 128.0.0.0/1 10.1.1.1
4.3.1-4.4.5
3269538
None
The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
4.3.0-4.3.14.3.2-4.4.5
3267353
In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets.4.3.14.3.2-4.4.5
3236349
None
Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log.4.3.0-4.3.14.3.2-4.4.5
3235956
With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding.4.3.0-4.3.14.3.2-4.4.5
3234031
None
If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-4.3.14.3.2-4.4.5, 5.3.0-5.8.0
3218207
None
Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes.4.3.0-5.2.15.3.0-5.8.0
3216922
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users).3.7.0-5.2.15.3.0-5.8.0
3216921
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-3.7.16, 4.3.0-4.4.5
3216759
None
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-3.7.16, 4.3.0-4.4.5
3191517
None
When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes.4.3.0-5.2.15.3.0-5.8.0
3168564
In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled.
4.3.1-4.4.5
3163845
If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes.4.3.1-4.4.5
3138746
The switch duplicates DHCP packets that pass through the VTEP.4.3.0-5.1.05.2.0-5.8.0
3131423
During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command.4.3.0-5.1.05.2.0-5.8.0
3129819
On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime.3.7.15-3.7.16, 4.3.0-4.4.5
3119615
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic.3.7.15-5.1.05.2.0-5.8.0
3117340
When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command.4.3.0-5.1.05.2.0-5.8.0
3093966
On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules.3.7.15-3.7.16, 4.3.0-4.4.5
3093863
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command.3.7.16-4.4.34.4.4-4.4.5, 5.2.0-5.8.0
3089165
A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted.4.2.1-4.4.34.4.4-4.4.5
3084027
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware.4.3.0-4.4.5, 5.0.0-5.8.0
3073668
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap.3.7.12-3.7.16, 4.3.0-4.4.5
3072613
When you delete a bond interface with NCLU, BGP peer group configuration is removed.3.7.15-3.7.16, 4.3.0-4.4.5
3059135
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command.
4.3.0-5.1.05.2.0-5.8.0
3046023
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install.4.2.1-5.1.05.2.0-5.8.0
3007564
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed.3.7.15-5.0.15.1.0-5.8.0, 5.2.0-5.8.0
2999341
CVE-2021-3570The ptp4l program in linuxptp, an implementation of the Precision Time Protocol (PTP), does not validate the messageLength field of incoming messages, allowing a remote attacker to cause a denial of service, information leak, or potentially remote code execution
Fixed: 1.9.2-1+deb10u1
4.2.1-4.4.14.4.2-4.4.5
2968495
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it.4.2.1-4.4.24.4.3-4.4.5, 5.1.0-5.8.0
2961008
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces.3.7.15-4.4.2, 5.0.0-5.0.14.4.3-4.4.5, 5.1.0-5.8.0
2951110
The net show time ntp servers command does not show any output with the management VRF.3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.8.0
2940051
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16, 5.0.0-5.8.0
2902013
The NCLU commit command adds a five second delay.4.2.1-4.4.5
2896450
CM-31978
On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. To work around this issue, restart switchd a second or third time until all interfaces are functioning correctly, or reboot the switch.4.3.0-4.4.5
2893895
CM-33315
CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8
4.0.0-4.3.24.4.0-4.4.5, 5.1.0-5.8.0
2891255
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file.
Vulnerable: <= 2.6.20-0+deb10u1
Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.8.04.4.2-4.4.5
2890681
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.8.04.4.2-4.4.5
2866080
On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic.4.3.0-4.4.5
2854787
An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
4.3.0-4.3.24.4.0-4.4.5, 5.1.0-5.8.0
2854784
After building VLAN or VXLAN interfaces, MLAG becomes unstable.4.3.0-4.4.14.4.2-4.4.5, 5.0.0-5.8.0
2845531
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address.4.2.1-4.4.55.0.0-5.8.0
2838905
On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. To work around this issue, use the chrony implementation of NTP instead of ntpd. chrony synchronizes the system clock faster and with better accuracy
Instructions for using chrony are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/
4.3.0-4.4.5
2821869
The cl-route-check –layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last):
File “/usr/cumulus/bin/cl-route-check”, line 1270, in
routing.collect_data()
File “/usr/cumulus/bin/cl-route-check”, line 528, in collect_data
self.collect_data_bgp_ipv4()
File “/usr/cumulus/bin/cl-route-check”, line 711, in collect_data_bgp_ipv4
bgp_ipv4 = json.loads(output)
File “/usr/lib/python2.7/json/init.py”, line 338, in loads
return _default_decoder.decode(s)
File “/usr/lib/python2.7/json/decoder.py”, line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File “/usr/lib/python2.7/json/decoder.py”, line 382, in raw_decode
obj, end = self.scan_once(s, idx)MemoryError
3.7.15-4.4.55.0.0-5.8.0
2820565
SNMP does not start and you see errors similar to the following:
cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-10-11 14:38:13 UTC; 1min 8s ago
Process: 1987 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=exited, status=1/FAILURE)
Main PID: 1987 (code=exited, status=1/FAILURE)
To work around this issue, run the sudo systemctl restart snmpd.service command.
4.3.0-4.4.55.0.0-5.8.0
2803044
In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16
2794766
The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up.4.3.0-4.4.55.0.0-5.8.0
2792616
If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information.4.3.0-4.4.55.0.0-5.8.0
2783611
If you remove ports from a bridge and add IP addresses in one ifreload, connected routes are bound to the wrong routing information field.4.3.0-4.4.14.4.2-4.4.5
2782033
The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
More details at https://www.openssl.org/news/secadv/20210824.txt
Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7
4.0.0-4.4.14.4.2-4.4.5
2781537
In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD.4.3.0-4.4.55.0.0-5.8.0
2771871
IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address
This affects failed neighbor entries on routed interfaces that are not SVIs.
4.3.0-4.4.14.4.2-4.4.5
2771653
When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space.4.3.0-4.4.5
2754791
Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP.3.7.14.2-3.7.16, 4.3.0-4.4.5
2754691
CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking)
Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1
4.0.0-4.4.14.4.2-4.4.5
2754685
CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data
Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1
4.0.0-4.4.14.4.2-4.4.5
2754679
CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device
CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code
Vulnerable: <= 5.50-1.2~deb10u1Fixed: 5.50-1.2~deb10u2
4.0.0-4.4.14.4.2-4.4.5
2753955
On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails.4.2.1-4.4.55.0.0-5.8.0
2747605
CVE-2021-3246: a buffer overflow in libsndfile, a libraryfor reading/writing audio files, which could result in denial of serviceor potentially the execution of arbitrary code when processing amalformed audio file
Vulnerable: 1.0.28-6Fixed: 1.0.28-6+deb10u1
4.0.0-4.4.14.4.2-4.4.5
2743186
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish.3.7.15-5.1.05.2.0-5.8.0
2739690
CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure
Vulnerable: 1.24.1-1Fixed: 1.24.1-1+deb 10u1
4.0.0-4.4.14.4.2-4.4.5
2739639
CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST
Vulnerable: <= 1.17-3+deb10u1Fixed: 1.17-3+deb10u2
4.0.0-4.4.14.4.2-4.4.5
2739402
The destination MAC address of ERSPAN GRE packets is set to all zeros.4.3.0-4.4.55.0.0-5.8.0
2734122
CVE-2021-33910: The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memorycorruption, allowing to crash systemd and hence the entire operating system. Details can be found at https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt
Vulnerable: <= 241-7~deb10u7Fixed: 241-7~deb10u8
4.0.0-4.4.14.4.2-4.4.5
2734119
The ESI line in the show bgp l2vpn evpn route command output always shows VNI: 0. This is a cosmetic software issue.4.3.0-4.4.55.0.0-5.8.0
2734103
ACL [No More Resources] messages keep appearing and you can’t reinstall the ACL.4.3.0-5.1.05.2.0-5.8.0
2728207
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728206
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-3.7.16, 4.0.0-4.4.5
2728205
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2728134
CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u5
Fixed: 2.4.47+dfsg-3+deb10u6
4.0.0-4.3.24.4.0-4.4.5
2728119
When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command.4.3.0-4.4.55.0.0-5.8.0
2713888
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-5.0.15.1.0-5.8.0
2711533
On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate.4.2.1-4.4.5
2710208
The net show bgp neighbor command output shows the BFD status as UP even when the BGP neighbor is not established, such as when the interface is down.4.2.1-4.4.5
2706744
In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event.4.3.0-4.4.14.4.2-4.4.5
2700767
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration.3.7.12-3.7.15, 4.3.0-4.4.53.7.16
2695526
CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2690017
When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can’t add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd.
4.3.0-4.3.24.4.0-4.4.5
2687159
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed
Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2685994
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
4.0.0-5.0.15.1.0-5.8.0
2682971
CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed
Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1
4.0.0-4.3.24.4.0-4.4.5
2682780
Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file.
4.2.0-4.3.24.4.0-4.4.5
2679950
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1
3.7.0-3.7.15, 4.0.0-4.3.23.7.16, 4.4.0-4.4.5
2671667
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4
4.0.0-4.3.24.4.0-4.4.5
2669873
In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE.4.3.0-4.3.24.4.0-4.4.5
2669858
CM-32169
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper.
3.7.14-3.7.16, 4.0.0-4.4.5
2669073
On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stopped
To work around this issue, start the MST service with the sudo mst start command.
4.3.0-4.3.24.4.0-4.4.5
2666838
CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code
Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2
4.0.0-4.3.24.4.0-4.4.5
2663479
CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption
Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2656527
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2648658
If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure.3.7.15-4.3.24.4.0-4.4.5
2644053
The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5
4.0.0-4.3.24.4.0-4.4.5
2639303
When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: ‘NoneType’ object has no attribute ‘conf_key_value_multiple_values’See /var/log/netd.log for more details.
4.3.0-4.4.5
2632379
When you upgrade the switch with apt-get upgrade, the kexec-tools package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly.4.3.0-4.3.24.4.0-4.4.5
2628515
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3
3.7.14-3.7.14.2, 4.3.0-4.3.23.7.15-3.7.16, 4.4.0-4.4.5
2618227
The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs.4.3.0-4.4.5
2617000
CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure
Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1
4.0.0-4.3.24.4.0-4.4.5
2616998
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2616987
CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image
Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2
4.0.0-4.3.24.4.0-4.4.5
2616976
Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers
CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file
CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection
CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port
CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION)
CVE-2020-8286: failure to verify that OSCP response matches intended certificate
CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header
CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check
Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2
4.0.0-4.3.24.4.0-4.4.5
2616967
CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack
Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3
4.0.0-4.3.24.4.0-4.4.5
2616964
CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service
Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2
4.0.0-4.3.24.4.0-4.4.5
2616954
CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service
Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6
4.0.0-4.3.24.4.0-4.4.5
2614016
The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module.4.2.0-4.3.24.4.0-4.4.5
2599274
On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown <bond_name> ; sleep 1 ; ifup <bond_name>.
4.3.0-4.4.55.0.0-5.8.0
2582639
On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap.4.3.0-4.3.24.4.0-4.4.5
2578872
CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service
Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2578870
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2
4.0.0-4.3.24.4.0-4.4.5
2577499
QSFP+ 40G optics do not work on Spectrum platforms.4.3.0-4.3.24.4.0-4.4.5
2574368
When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr.
4.1.1-4.4.5
2566880
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.3.7.14-3.7.14.2, 4.0.0-4.3.23.7.15-3.7.16, 4.4.0-4.4.5
2564534
Several vulnerabilities have been discovered in the GRUB2 bootloader
CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled
CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command
CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization
CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline
CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled
CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser
CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering.
4.0.0-4.3.24.4.0-4.4.5
2556782
CM-33398
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1
3.7.14-3.7.14.2, 4.0.0-4.3.23.7.15-3.7.16, 4.4.0-4.4.5
2556777
CM-33395
CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence.
Vulnerable: 4.6.2-3
Fixed: 4.6.2-3+deb10u1
4.0.0-4.3.24.4.0-4.4.5
2556772
CM-33391
The net show clag verify-vlans command fails with the following log:

WARNING: ‘/usr/bin/clagctl verifyvlans’ failed due to:
Command ‘['/usr/bin/clagctl’, ‘verifyvlans’]’ returned non-zero exit status 1

To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command.
4.2.1-4.4.5
2556730
CM-33359
CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code.
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2
Fixed: 9.11.5.P4+dfsg-5.1+deb10u3
4.0.0-4.3.24.4.0-4.4.5
2556369
CM-33196
If you use NCLU to configure an ACL for eth0, you can’t designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.
To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with “-A INPUT -i eth0”.
4.2.1-4.4.5
2556082
CM-33050
The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
4.2.1-4.4.5
2556081
CM-33049
You cannot set the time zone can with NCLU commands.4.1.1-4.4.5
2555873
CM-32914
On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic.4.3.0-4.4.5
2555763
CM-32861
The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: — /run/nclu/frr/frr.conf.scratchpad.baseline 2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad 2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor.
4.3.0-4.4.5
2555613
CM-32786
The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen).
4.2.1-4.4.5
2555318
CM-32612
If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact.
4.3.0-4.4.5
2555175
CM-32528
Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps.3.7.15-4.3.14.3.2-4.4.5
2554986
CM-32416
The ethtool utility doesn’t contain the latest values, as a result the Revision Compliance field shows Unallocated.4.2.1-4.4.5
2554812
CM-32296
If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes.4.2.1-4.4.5
2554783
CM-32274
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes.
4.2.1-4.4.55.0.0-5.8.0
2554709
CM-32217
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM.
3.7.13-3.7.16, 4.2.1-4.4.5
2554670
CM-32194
When you have a large number of ACLs, the cl-acltool -L ip and cl-resource-query commands take a long time to complete.4.3.0-4.4.5
2554582
CM-32144
On switches with the Maverick ASIC, control traffic is dropped due to receive buffering.4.2.0-4.4.5
2554533
CM-32112
On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms).4.0.0-4.4.5
2554466
CM-32068
Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
4.2.1-4.4.5
2554299
CM-31962
In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart.4.2.0-4.3.24.4.0-4.4.5
2554222
CM-31921
The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
vxlan-id 30
bridge-access 30
bridge-arp-nd-suppress on
bridge-learning on
vxlan-local-tunnelip 10.10.10.1
mstpctl-bpduguard yes
mstpctl-portbpdufilter yes
mtu 9166
4.2.1-4.4.5
2554218
CM-31917
MLAG packets received on the peer link are dropped instead of routed.4.2.0-4.4.5
2554202
CM-31904
The output of the net show commit command does not show the last commit or the specified commit number but is empty instead.4.2.1-4.4.5
2553989
CM-31759
Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down.4.2.1-4.4.5
2553887
CM-31700
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server.
3.7.7-3.7.16, 4.0.0-4.4.5
2553677
CM-31605
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config –create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:
createUser userSHAwithAES SHA “shaauthpass” AES “aesprivpass”
adding the following line to /snmp/snmpd.conf:
rwuser userSHAwithAES
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation.
3.7.13-3.7.16, 4.0.0-4.4.5
2553237
CM-31418
The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

4.2.0-4.4.5
2553116
CM-31357
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.
3.7.12-3.7.16, 4.0.0-4.4.5
2553015
CM-31300
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.16, 4.2.0-4.4.5
2552691
CM-31111
On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port.
4.2.0-4.4.5
2552453
CM-30987
On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.
To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file.
4.2.0-4.4.5
2552309
CM-30889
The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:


Hal_bcm_console.c:294 MMU config profile 0 prigroup 0: Service Pool 0 has no space and cannot be assigned
Hal_bcm_console.c:294 MMU config port 0 idx 0: Pool 0 has no space and cannot be assigned


These messages are for internal validation purposes only and can be safely ignored.

4.2.0-4.4.5
2552294
CM-30879
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
3.7.12-3.7.16, 4.0.0-4.4.5
2552266
CM-30863
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.
-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.
Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.
If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.
To disable scp completely, use /bin/chmod 0 /usr/bin/scp .
3.7.14-3.7.16, 4.0.0-4.4.5
2551666
CM-30473
If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:

warning: : interface not recognized - please check interface configuration

4.1.0-4.4.5
2551578
CM-30422
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.16, 4.0.0-4.4.5
2551565
CM-30414
If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands.
3.7.13-3.7.16, 4.2.0-4.4.5
2551335
CM-30312
When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands.4.0.0-4.4.5
2551305
CM-30296
The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

3.7.12-3.7.16, 4.1.0-4.4.5
2551273
CM-30280
On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux.4.1.0-4.4.5
2551221
CM-30255
When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport’s IP address don’t reach switchport. To capture packets directed towards switcport’s IP, disable span-to-cpu and use tcpdump on swichport instead.4.2.0-4.4.5
2551111
CM-30230
If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address.
4.0.0-4.4.5
2550974
CM-30195
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.16, 4.1.1-4.4.5
2550793
CM-30101
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.16, 4.0.0-4.4.5
2550713
CM-30052
Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.
To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration.
4.1.1-4.4.5
2550704
On the Mellanox SN3420 switch, 25G SR optics only link up in force mode.4.3.0-4.3.24.4.0-4.4.5
2550642
CM-30006
ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches4.2.0-4.4.5
2550444
CM-29872
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.16, 4.0.0-4.4.5
2550443
CM-29871
The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.16, 4.0.0-4.4.5
2550243
CM-29759
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
3.7.12-3.7.16, 4.0.0-4.4.5
2550056
CM-29652
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue…
3.7.12-3.7.16, 4.1.1-4.4.5
2549925
CM-29594
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:

error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.16, 4.0.0-4.4.5
2549872
CM-29562
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.16, 4.1.1-4.4.5
2549782
CM-29519
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.16, 4.0.0-4.4.5
2549731
CM-29492
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1
3.7.12-3.7.16, 4.1.1-4.4.5
2549392
CM-29319
When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file.
To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command.
4.1.0-4.4.5
2549371
CM-29309
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.24.4.0-4.4.5
2548924
CM-29146
On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic.4.1.1-4.4.5
2548657
CM-29035
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.16, 4.0.0-4.4.5
2548579
The following security vulnerability has been announced:
CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
3.7.12, 4.0.0-4.4.53.7.13-3.7.16
2548315
CM-28816
The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.7.12-3.7.16, 4.0.0-4.4.5
2548310
CM-28812
When the system boots, we might see " cumulus systemd-udevd[7566]: Process ‘/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25’ failed with exit code 1" errors.

These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later;
4.1.0-4.4.5
2548260
CM-28770
The net add routing route-map permit set community command does not add the set statement into the /etc/frr/frr.conf file.4.0.0-4.4.5
2548243
CM-28754
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.16, 4.0.0-4.4.5
2548117
CM-28659
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX.3.7.12-3.7.16, 4.0.0-4.4.5
2548062
CM-28622
When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches).4.1.0-4.4.5
2548044
CM-28608
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor.3.7.12-3.7.15, 4.0.0-4.4.53.7.16
2547903
CM-28506
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs
Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1
4.0.0-4.4.5
2547890
CM-28497
QinQ across VXLAN on a traditional bridge does not work.4.1.0-4.4.5
2547782
CM-28441
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns.3.7.11-3.7.16, 4.0.0-4.4.5
2547706
CM-28397
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch.
3.7.11-3.7.16, 4.0.0-4.4.5
2547405
CM-28226
When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run ‘systemctl daemon-reload’.
4.0.0-4.4.5
2547120
CM-28076
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command.3.7.11-3.7.16, 4.0.0-4.4.5
2546991
CM-28003
The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.16, 4.0.0-4.4.5
2546895
CM-27957
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.16, 4.0.0-4.4.5
2546874
CM-27950
On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch.4.0.0-4.4.5
2546255
CM-27637
On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time.4.0.0-4.4.5
2546225
CM-27627
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
 
sudo onie-install -fai http://
sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image.
3.7.11-3.7.16, 4.0.0-4.4.5
2546131
CM-27581
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present.
3.7.11-3.7.16, 4.0.0-4.4.5
2545837
CM-27444
If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command.
3.7.10-3.7.11, 4.0.0-4.4.53.7.12-3.7.16
2545520
CM-27243
The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages.3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2545239
CM-27099
On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported.4.0.0-4.3.24.4.0-4.4.5
2545233
CM-27094
On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power.4.0.0-4.4.5
2545125
CM-27018
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.16, 4.0.0-4.4.5
2544978
CM-26921
If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.16, 4.0.0-4.4.5
2544968
CM-26913
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf”

should be:

sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf”

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.16, 4.0.0-4.4.5
2544957
CM-26907
NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge.4.0.0-4.4.5
2544953
CM-26905
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.16, 4.0.0-4.4.5
2544880
CM-26860
When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown.4.0.0-4.4.5
2544723
CM-26769
Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link.3.7.6-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2544463
CM-26599
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.16, 4.0.0-4.4.5
2544456
CM-26595
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.16, 4.0.0-4.4.5
2544311
CM-26516
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.16, 4.0.0-4.4.5
2544155
CM-26423
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

3.7.5-3.7.16, 4.0.0-4.4.5
2544113
CM-26412
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.16, 4.0.0-4.4.5
2543937
CM-26308
An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2.
3.7.8-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543915
CM-26301
When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unit
You can safely ignore this warning.
4.0.0-4.4.5, 5.0.0-5.8.0
2543900
CM-26288
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.16, 4.0.0-4.4.5
2543841
CM-26256
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
3.7.8-3.7.16, 4.0.0-4.4.5
2543816
CM-26241
On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
3.7.6-3.7.11, 4.0.0-4.4.53.7.12-3.7.16
2543781
CM-26217
NCLU does not allow you to configure OSPF NSSAs. For example:

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa
ERROR: Command not found.
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example:

switch# configure terminal
switch(config)# router ospf
switch(config-router)# area 0.0.0.1 nssa
3.7.7-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543724
CM-26179
If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:

ERROR: ‘ascii’ codec can’t encode character u’\xe9’ in position 3: ordinal not in range(128)
See /var/log/netd.log for more details.
3.7.7-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543646
CM-26136
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.16, 4.0.0-4.4.5
2543401
CM-25986
On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish.
4.0.0-4.4.5
2543211
CM-25890
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
3.7.0-3.7.16, 4.0.0-4.4.5
2543164
CM-25859
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.16, 4.0.0-4.4.5
2543096
CM-25815
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
3.7.6-3.7.16, 4.0.0-4.4.5
2542945
CM-25740
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
3.7.6-3.7.16, 4.0.0-4.4.5
2542837
CM-25674
On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule.3.7.6-3.7.8, 4.0.0-4.4.53.7.9-3.7.16
2542305
CM-25400
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
3.7.6-3.7.16, 4.0.0-4.4.5
2542301
CM-25397
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
3.7.3-3.7.16, 4.0.0-4.4.5
2541212
CM-24894
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.16, 4.0.0-4.4.5
2541029
CM-24799
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.16, 4.0.0-4.4.5
2540753
CM-24618
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
 
ERROR: No closing quotation
See /var/log/netd.log for more details.

3.7.5-3.7.16, 4.0.0-4.4.5
2540444
CM-24473
SNMP incorrectly requires engine ID specification.
3.7.4-3.7.16, 4.0.0-4.4.5
2540352
CM-24435
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9
net add routing route-map Proxy-ARP permit 30 match interface swp10

3.7.2-3.7.16, 4.0.0-4.4.5
2540340
CM-24426
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf ip address
command works correctly.
3.7.4-3.7.16, 4.0.0-4.4.5
2540274
CM-24379
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.16, 4.0.0-4.4.5
2540204
CM-24350
When links come up after FRR is started, VRF connected routes do not get redistributed.3.7.4-3.7.16, 4.0.0-4.4.5
2540192
CM-24343
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.16, 4.0.0-4.4.5
2540155
CM-24332
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
3.7.3-3.7.16, 4.0.0-4.4.5
2540042
CM-24272
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface br0.100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# vrrp 1 advertisement-interval
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540041
CM-24271
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface vlan100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540040
CM-24270
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface swp4
switch(config-if)# vrrp 1 version 2
switch(config-if)# no vrrp 1 preempt
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540031
CM-24262
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist.
3.7.3-3.7.16, 4.0.0-4.4.5
2539994
CM-24241
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
 
cumulus@switch:~$ net del bgp neighbor fabric peer-group
‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’

3.7.2-3.7.16, 4.0.0-4.4.5
2539962
CM-24222
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.
3.7.0-3.7.16, 4.0.0-4.4.5
2539670
CM-24035
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
3.7.2-3.7.16, 4.0.0-4.4.5
2539124
CM-23825
The net add interface ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.16, 4.0.0-4.4.5
2538790
CM-23665
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.16, 4.0.0-4.4.5
2538590
CM-23584
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
3.7.2-3.7.16, 4.0.0-4.4.5
2538562
CM-23570
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.16, 4.0.0-4.4.5
2538294
CM-23417
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.16, 4.0.0-4.4.5
2537699
CM-23075
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
3.7.1-3.7.16, 4.0.0-4.4.5
2537544
CM-23021
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.16, 4.0.0-4.4.5
2536576
CM-22554
If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
4.0.0-4.4.5
2536384
CM-22386
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
3.7.0-3.7.16, 4.0.0-4.4.5
2536256
CM-22301
For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
 
A $INGRESS_CHAIN –in-interface $INGRESS_INTF -m addrtype –dst-type
IPROUTER -j POLICE –set-mode pkt –set-rate 400 –set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
4.0.0-4.4.5
2536242
CM-22287
On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes.4.0.0-4.4.5
2536179
CM-22228
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.16, 4.0.0-4.4.5
2535986
CM-22041
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart.
3.7.0-3.7.16, 4.0.0-4.4.5
2535965
CM-22020
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
3.7.0-3.7.16, 4.0.0-4.4.5
2535723
CM-21785
The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF.4.0.0-4.4.5
2535605
CM-21667
FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group.
4.0.0-4.4.5
2535209
CM-21278
The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment.
3.7.5-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2534734
CM-20813
Span rules matching the out-interface as a bond do not mirror packets.4.0.0-4.4.5
2533691
CM-19788
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.
3.7.12-3.7.16, 4.0.0-4.4.5
2533625
CM-19724
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.4.0.0-4.4.5
2533337
CM-19454
When you use NCLU to bring a bond admin down (net add bond link down), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.
To work around this issue, use the sudo ifdown command.
4.0.0-4.4.5
2531273
CM-17494
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.
To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information.
4.0.0-4.4.5

Fixed Issues in 4.3.1

Issue IDDescriptionAffects
3216915
Cumulus Linux 4.3.1 is available for Broadcom switches only. Do not upgrade a Mellanox switch to Cumulus Linux 4.3.1
On Broadcom switches, upgrading from Cumulus Linux 4.3.0 to CumulusLinux-4-latest with apt update and apt upgrade downloads and installs only the cumulus-newpackages-bcm package. This changes CumulusLinux-4-latest in the /etc/apt/sources.list to CumulusLinux-4-latest-BCM after which, when you run apt update and apt upgrade, the switch upgrades to Cumulus Linux 4.3.1
On Broadcom switches, upgrading from Cumulus Linux 4.0.0 to 4.2.1 to CumulusLinux-4-latest with apt update and apt upgrade will upgrade to CumulusLinux 4.3.0, with CumulusLinux-4-latest-BCM listed in /etc/apt/sources.list. Doing apt update and apt upgrade again will then upgrade the switch to Cumulus Linux 4.3.1
For Mellanox switches, the above procedure does not upgrade to Cumulus Linux 4.3.1. However, if you start the upgrade from Cumulus Linux 4.0.0 to 4.2.1, the switch might upgrade to Cumulus Linux 4.3.0.
3209699
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-4.3.0, 4.4.0-5.2.1
3185796
When you enable ACL nonatomic update mode in the /etc/cumulus/switchd.conf file, the switch starts dropping ICMPv6 neighbor advertisement packets, which leads to an outage because the attached hosts are unable to communicate with each other.4.3.0
3138137
The OID 1.3.6.1.4.1.40310.4.3.1.1.5 doesn’t return all BGP unnumered interfaces. To workaround this issue, avoid multiple BGP sessions to routers using the same ID. If you have multiple peering sessions across subinterfaces that live in distinct VRFs, configure a separate router ID per VRF. If there are multiple peering sessions to the same device in the same VRF, consider consolidating into a single BGP session by either peering across a bond or by using a multi hop session between loopbacks.4.3.0
3136940
None
The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error.4.3.0
3120423
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it.3.7.15-4.3.0, 4.4.0-5.1.0
3110729
When you change the time with NTP or manually, the clagd service stops.4.3.0
3089474
The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error.4.3.0
3068962
Cumulus Linux installation fails with the error Installation Problems, sub-task Installing Optional Packages. This occurs because the web server hosting the Cumulus Linux image remaps a 404 for a non-existent file image.optional_pkgs into a web page, which it then incorrectly attempts to use as a list of optional packages
To work around this issue, on the web server hosting the image, create an empty file with the same name as the image with .optional_pkgs appended to the name.
4.4.0-4.4.3
3066704
The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of time
To work around this issue, restart the hostapd service with the systemctl restart hostapd command.
3.7.15-4.3.0
3053063
The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errors
To work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services.
3.7.15-4.3.0
3031235
In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
4.3.0
3020254
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN.3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0
2993469
If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages.4.3.0
2991514
Cumulus Linux can take a long time (100 seconds) to sync a large number of VNIs on a bridge.3.7.15-4.3.0
2991501
When you poll TCP-MIB objects, the snmpd process slowly leaks memory. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command.4.3.0
2949512
On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs.4.3.0
2943222
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN.3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1
2935121
When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds.3.7.15, 4.3.0, 4.4.0-4.4.1
2932121
When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd.4.3.0
2906967
You can’t have more than one VLAN subinterface on the same port on the same bridge.4.1.1-4.3.0
2899422
Broadcom switches return a table full error when creating VXLAN gports, which causes {switchd to crash.3.7.15-4.3.0
2896733
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send. To work around this issue, run the vtysh clear ip mroute command.3.7.15-4.3.0, 5.0.0-5.0.1
2875337
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally.4.2.1-4.3.0, 4.4.0-5.0.1
2875301
When an IPv4 address is not configured on a tenant VRF loopback interface, the switchd process slowly leaks memory, which results in unresolved next hops. To work around this issue, configure an IPv4 address on all VRF interfaces.4.3.0
2875296
None
On a Mellanox Spectrum-2 switch, after running the systemctl restart networking service command on the MLAG primary switch, the secondary switch also closes its ports. To work around this issue, run the ifreload -a command to restart networking.4.2.1-4.3.0
2867058
On the Dell Z9264F-ON switch, interfaces that use the QSFP28 module remain down after you restart switchd.3.7.15-4.3.0
2866097
CM-33416
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file.3.7.12-3.7.15, 4.1.1-4.3.0
2866084
When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
Reboot the affected switches.
3.7.12-4.3.0
2862214
{switchd can cause a memory leak.3.7.14.2-3.7.15
2862210
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart
To work around this issue, load the port configuration in a staggered manner (groups of five downlink ports).
3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5
2853630
In an MLAG and VXLAN Active Active configuration, when you add a new VNI on the primary MLAG switch only, you see packet loss over the old VNI.4.3.0
2845423
On Dell S3048 switches configured for 802.1x auth, you might see file descriptor exhaustion with Hostapd messages indicating that Cumulus Linux is unable to open /dev/urandom or write out the transient ACL files
To work around this issue, reboot the switch.
3.7.15, 4.3.0
2840819
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts).4.0.0-4.3.0
2837378
The switch duplicates DHCP packets that pass through the VTEP.4.3.0, 4.4.0-5.1.0
2816069
On the EdgeCore AS7326 switch, unicast ARP requests are not forwarded to the control plane.4.2.1-4.3.0
2815645
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1
2792750
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely.3.7.15-4.3.0, 4.4.0-4.4.5
2786264
When the switchd service restarts, any dropped traffic registered by WJH change to unregistered and WJH stops reporting all dropped traffic. This occurs because the WJH service does not restart automatically when the switchd service restarts
To work around this issue, manually restart WJH with the sudo systemctl restart what-just-happened.service command every time the switchd service restarts.
4.3.0
2770030
When you modify the default pre-auth policy located in /etc/cumulus/acl/policy.d/dot1x_preauth_dacl, after restarting hostapd the /etc/cumulus/acl/policy.d/dot1x_preauth_dacl directory is deleted and recreated with the default rule set that comes from the hostapd binary.4.3.0
2754723
When route_preferred_over_neigh is set to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry.4.0.0-4.3.0, 4.4.0-4.4.1
2739398
Cumulus Linux does not support a bond or bond member as a SPAN destination.4.4.0-4.4.5
2738625
When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN.3.7.15, 4.2.1-4.3.0
2736260
After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes.3.7.12-3.7.15, 4.2.1-4.3.0
2730447
The bridge MAC address is updated during a port change on bridge interfaces.4.3.0, 4.4.0-4.4.5
2730225
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs.3.7.12-4.3.0, 4.4.0-4.4.1
2724191
On the Celestica Seastone switch, when you run smonctl -v, the DIMM 1 Temp Sensor shows as absent
This is a cosmetic software issue and not indicative of a hardware failure on the system.
4.3.0
2716822
The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports.3.7.15-4.3.0
2705160
None
Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra
When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop.
4.0.0-4.3.0, 4.4.0-4.4.5
2700701
A default route learned from DHCP on eth0 in the management VRF might install in the default VRF if eth0 is disconnected and the original next hop is reachable in the default VRF. To work around this issue, delete the DHCP lease file for eth0 with the sudo rm /var/lib/dhcp/dhclient.eth0.leases command.4.3.0
2699399
When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!
To workaround this issue, run the command against each VRF independently.
3.7.15, 4.0.0-4.3.0
2699378
Following an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer-ip-mismatch. This behavior is seen when you use a clagd-peer-ip linklocal configuration.4.3.0
2695314
In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart.4.3.0
2685584
A host migrated to an 802.1x port within the same broadcast domain does not have the correct static FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain.4.2.1-4.3.0
2682792
If you configure items in a VRF that has been created, deleted, then re-created, staticd crashes.4.3.0
2668543
When configured with NVUE, SVIs do not inherit the pinned MAC address of the bridge.4.3.0, 5.0.0-5.8.0
2663119
If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent fdb entry for the old MAC address.3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.1
2660583
In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double-failure (peer link failure and backup IP failure)4.3.0
2654715
None
The cl-acltool takes a significant amount of time to run, which can slow down automation scripts.4.2.0-4.3.0
2652003
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-4.3.0
2645609
None
The NCLU net show route vrf summary and vtysh show [ip|ipv6] route vrf summary commands do not return any output.4.3.0
2644071
When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role.3.7.15, 4.3.0
2633062
The following vulnerability affects the libgstreamer-plugins-base1.0-0 package. There is no CVE yet; the Debian advisory number is DSA-4903-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: 1.14.4-2Fixed: 1.14.4-2+deb10u1
4.0.0-4.3.0
2628493
On a PFC configured switch, non PFC enabled ports might transmit or receive traffic incorrectly after a reboot. To work around this issue, either run the echo 1 > /cumulus/switchd/config/traffic/reload command or the sudo systemctl restart switchd.service command.4.3.0
2613119
The Mellanox 100G transceiver MMA1L30-CM Rev A3 is not recognized on the SN4600 switch even though the link is up. The ethtool output shows the error Cannot get Module EEPROM data: Invalid argument.
2556816
CM-33419
When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression.
3.7.14-3.7.14.2, 4.3.0
2556775
CM-33393
DSA-4859-1 (no CVE): zstd, a compression utility, was vulnerable to a race condition: it temporarily exposed, during a very short timeframe, a world-readable version of its input even if the original file had restrictive permissions.
Vulnerable: <= 1.3.8+dfsg-3+deb10u1
Fixed: 1.3.8+dfsg-3+deb10u2
4.0.0-4.3.0
2556764
CM-33385
In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge.3.7.14-3.7.14.2, 4.0.0-4.3.0
2556691
CM-33334
The following vulnerabilities have been announced in the openssl packages:
CVE-2021-23840: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.
CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained
within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.
CVE-2019-1551: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.
Vulnerable: <= 1.1.1d-0+deb10u4
Fixed: 1.1.1d-0+deb10u5
4.0.0-4.3.0
2556602
CM-33305
Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event:
unhandled exception:
Traceback (most recent call last):
File “/usr/sbin/clagd”, line 1304, in PeerRecvT
PeerRecv()
File “/usr/sbin/clagd”, line 513, in PeerRecv
ParseProtoBufMessage(nlm, myPeerMsg)
File “/usr/sbin/clagd”, line 853, in ParseProtoBufMessage
msgData = FdbSync.ParseProtoBufMessage(msgHdr)
File “/usr/lib/python3/dist-packages/clag/fdbsync.py”, line 892, in ParseProtoBufMessage
msgData.ParseFromString(msgHdr.data)
google.protobuf.message.DecodeError: Error parsing message
4.3.0
2556591
CM-33300
After upgrading to Cumulus Linux, MLAG ports might remain down with clagctl and net show clag reporting bridge-priority-mismatch
To work around this issue, run the sudo ifreload -a command on both peers, or configure bridge-bridgeprio to be the same value as mstpctl-treeprio on the bridge interface in the /etc/network/interfaces file, then run sudo ifreload -a.
4.3.0
2556569
CM-33283
DSA-4850-1 (no CVE): libzstd adds read permissions to files while being compressed or uncompressed.
Vulnerable: 1.3.8+dfsg-3
Fixed: 1.3.8+dfsg-3+deb10u1
4.0.0-4.3.0
2556500
CM-33258
Cumulus Linux does not support bond members at 200G or greater.4.0.0-4.3.0
2556474
CM-33247
CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687: Several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, could result in denial of service, cache poisoning or the execution of arbitrary code.4.0.0-4.3.0
2556462
CM-33239
When you remove a fan tray, smonctl and sensors display different information about the removed fans.4.2.1-4.3.0
2556456
CM-33237
CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u4
Fixed: 2.4.47+dfsg-3+deb10u5
4.0.0-4.3.0
2556249
CM-33139
On a Mellanox switch configured with the max acl-heavy or ip-acl-heavy profile, the cl-resource-query -j command takes a long time to run.4.3.0
2556061
CM-33032
On the Edgecore AS4610 switch, the historic CPU usage displayed in /run/sysmonitor/history sometimes shows as a negative value.3.7.12-3.7.15
2555932
CM-32953
On Mellanox switches, you can’t ping the SVI of the MLAG peer over the peer link after the packet is VXLAN decapsulated.4.2.1-4.3.0
2554798
CM-32286
On the Mellanox SN3700C switch, PIM multicast packets are duplicated at the egress VTEP.4.2.0-4.3.0
2554261
CM-31948
On Broadcom switches, when you create a VNI interface, switchd might crash with the following log message:
switchd[6628]: log.c:72 CRIT backend/bcm/hal_bcm_vxlan.c:1285: : Assertion ‘0’ failed.
4.3.0
2552212
CM-30832
The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages.3.7.11-3.7.14, 4.1.1-4.3.0
2550601
CM-29978
The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged.3.7.8-3.7.14.2, 4.0.0-4.3.0

4.3.0 Release Notes

Open Issues in 4.3.0

Issue IDDescriptionAffectsFixed
3351951
None
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-5.3.15.4.0
3336590
On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options.4.3.0-4.4.5
3334036
None
When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-5.3.15.4.0
3334031
None
When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.4.5
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0
3330654
When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), the user name mapping might be incorrect; for example, the user name shown in the default prompt might be incorrect. When you use NVUE, this occurs when the priority for the authentication order of local is higher than tacacs.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.4.0
3327477
Using su to change to a user specified through TACACS+ results in becoming the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. When sudo asks for the password of the named user, it is unlikely to match that of the local tacacs0 thru tacacs15 user.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.4.0
3291548
None
In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd.4.2.1-4.4.55.0.0-5.4.0
3269538
None
The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
4.3.0-4.4.5
3236349
None
Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log.4.3.0-4.4.5
3235956
With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding.4.3.0-4.4.5
3234031
None
If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-5.2.15.3.0-5.4.0
3216922
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users).3.7.0-4.3.0, 4.4.0-5.2.14.3.1, 5.3.0-5.4.0
3216921
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-4.3.0, 4.4.0-4.4.54.3.1
3216759
None
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-4.4.44.4.5, 5.1.0-5.4.0
3209699
None
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
3.7.0-4.3.0, 4.4.0-5.2.14.3.1, 5.3.0-5.4.0
3192808
None
When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes.4.3.0-5.2.15.3.0-5.4.0
3185796
When you enable ACL nonatomic update mode in the /etc/cumulus/switchd.conf file, the switch starts dropping ICMPv6 neighbor advertisement packets, which leads to an outage because the attached hosts are unable to communicate with each other.4.3.04.3.1-4.4.5
3138746
The switch duplicates DHCP packets that pass through the VTEP.4.3.0-5.1.05.2.0-5.4.0
3138137
The OID 1.3.6.1.4.1.40310.4.3.1.1.5 doesn’t return all BGP unnumered interfaces. To workaround this issue, avoid multiple BGP sessions to routers using the same ID. If you have multiple peering sessions across subinterfaces that live in distinct VRFs, configure a separate router ID per VRF. If there are multiple peering sessions to the same device in the same VRF, consider consolidating into a single BGP session by either peering across a bond or by using a multi hop session between loopbacks.4.3.04.3.1-4.4.5
3136940
None
The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error.4.3.04.3.1-4.4.5
3135801
None
Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra
When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop.
4.0.0-4.3.0, 4.4.0-4.4.53.7.16, 4.3.1
3131423
During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command.4.3.0-5.1.05.2.0-5.4.0
3129819
On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime.3.7.15-3.7.16, 4.3.0-4.4.5
3123556
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it.3.7.15-4.3.0, 4.4.0-5.1.04.3.1, 5.2.0-5.4.0
3119615
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic.3.7.15-5.1.05.2.0-5.4.0
3117340
When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command.4.3.0-5.1.05.2.0-5.4.0
3110729
When you change the time with NTP or manually, the clagd service stops.4.3.04.3.1-4.4.5, 4.4.4-4.4.5, 5.1.0-5.4.0
3098936
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs.3.7.12-4.3.0, 4.4.0-4.4.54.3.1
3093966
On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules.3.7.15-3.7.16, 4.3.0-4.4.5
3093863
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command.3.7.16-4.4.34.4.4-4.4.5, 5.2.0-5.4.0
3089474
The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error.4.3.04.3.1-4.4.5, 4.4.4-4.4.5, 5.2.0-5.4.0
3089165
A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted.4.2.1-4.4.34.4.4-4.4.5
3084027
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware.4.3.0-4.4.5, 5.0.0-5.4.0
3077737
The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errors
To work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services.
3.7.15-4.3.04.3.1-4.4.5, 4.4.4-4.4.5
3073668
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap.3.7.12-3.7.16, 4.3.0-4.4.5
3072613
When you delete a bond interface with NCLU, BGP peer group configuration is removed.3.7.15-3.7.16, 4.3.0-4.4.5
3066704
The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of time
To work around this issue, restart the hostapd service with the systemctl restart hostapd command.
3.7.15-4.3.04.3.1-4.4.5
3059135
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command.
4.3.0-5.1.05.2.0-5.4.0
3053197
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install.4.2.1-4.4.5, 5.0.0-5.4.0
3046023
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install.4.2.1-5.1.05.2.0-5.4.0
3041307
If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent fdb entry for the old MAC address.3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.13.7.16, 4.3.1, 4.4.4-4.4.5, 5.1.0-5.4.0
3031235
Static VXLAN configuration prevents NCLU from working.4.3.0, 4.4.34.3.1, 4.4.4-4.4.5
3021693
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN.3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.04.3.1, 4.4.4-4.4.5, 5.2.0-5.4.0
3007564
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed.3.7.15-5.0.15.1.0-5.4.0, 5.2.0-5.4.0
2999341
CVE-2021-3570The ptp4l program in linuxptp, an implementation of the Precision Time Protocol (PTP), does not validate the messageLength field of incoming messages, allowing a remote attacker to cause a denial of service, information leak, or potentially remote code execution
Fixed: 1.9.2-1+deb10u1
4.2.1-4.4.14.4.2-4.4.5
2999253
If you remove NGINX from the switch, then run apt autoremove, switchd does not reload. This occurs because removing NGINX also removes the libyaml-0-2 and python-yaml packages, which are required for the switchd consistency check.4.3.0, 4.4.0-5.0.14.3.1, 5.1.0-5.4.0
2991514
Cumulus Linux can take a long time (100 seconds) to sync a large number of VNIs on a bridge.3.7.15-4.3.04.3.1-4.4.5
2991501
When you poll TCP-MIB objects, the snmpd process slowly leaks memory. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command.4.3.04.3.1-4.4.5, 5.1.0-5.4.0
2973714
When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds.3.7.15, 4.3.0, 4.4.0-4.4.13.7.16, 4.3.1, 4.4.2-4.4.5, 5.0.0-5.4.0
2968495
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it.4.2.1-4.4.24.4.3-4.4.5, 5.1.0-5.4.0
2965759
On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs.3.7.15-4.3.04.3.1-4.4.5
2961008
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces.3.7.15-4.4.2, 5.0.0-5.0.14.4.3-4.4.5, 5.1.0-5.4.0
2951110
The net show time ntp servers command does not show any output with management VRF.3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.4.0
2949512
On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs.3.7.15-4.3.04.3.1-4.4.5
2943443
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN.3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.13.7.16, 4.3.1, 5.1.0-5.4.0
2940063
CM-33416
Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file.3.7.12-3.7.15, 4.1.1-4.3.03.7.16, 4.3.1-4.4.5, 5.0.0-5.4.0
2940052
When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN.3.7.15, 4.2.1-4.3.03.7.16, 4.3.1-4.4.5
2940051
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16, 5.0.0-5.4.0
2932121
When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd.4.3.03.7.16, 4.3.1-4.4.5
2906967
You can’t have more than one VLAN subinterface on the same port on the same bridge.4.1.1-4.3.04.3.1-4.4.5
2902013
The NCLU commit command adds a five second delay.4.2.1-4.4.5
2899422
Broadcom switches return a table full error when creating VXLAN gports, which causes {switchd to crash.3.7.15-4.3.04.3.1-4.4.5
2896733
Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send. To work around this issue, run the vtysh clear ip mroute command.3.7.15-4.3.0, 5.0.0-5.0.14.3.1-4.4.5, 5.1.0-5.4.0
2893895
CM-33315
CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8
4.0.0-4.3.14.4.0-4.4.5, 5.1.0-5.4.0
2891255
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.4.04.4.2-4.4.5
2890681
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.4.04.4.2-4.4.5
2875338
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally.4.2.1-4.3.0, 4.4.0-5.0.13.7.16, 4.3.1, 5.1.0-5.4.0
2875301
When an IPv4 address is not configured on a tenant VRF loopback interface, the switchd process slowly leaks memory, which results in unresolved next hops. To work around this issue, configure an IPv4 address on all VRF interfaces.4.3.04.3.1-4.4.5
2875296
None
On a Mellanox Spectrum-2 switch, after running the systemctl restart networking service command on the MLAG primary switch, the secondary switch also closes its ports. To work around this issue, run the ifreload -a command to restart networking.4.2.1-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2867058
On the Dell Z9264F-ON switch, interfaces that use the QSFP28 module remain down after you restart switchd.3.7.15-4.3.04.3.1-4.4.5
2866084
When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst|via] <interface|IP> command, then add “vxlan-learning”: “off” in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
{
“vxlan”: {
“module_globals”: { “vxlan-purge-remotes”: “no” },
“defaults”: {
“vxlan-ageing”: “1800”,
“vxlan-port”: “4789”, <==== This comma needs to be added at the end of this line
“vxlan-learning”: “off” <= This line needs to be added
}
}
}
Reboot the affected switches.
3.7.12-4.3.04.3.1-4.4.5
2866080
On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic.4.3.0-4.4.5
2862211
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart
To work around this issue, load the port configuration in a staggered manner (groups of five downlink ports).
3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.53.7.16, 4.3.1, 5.0.0-5.4.0
2854787
An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
4.3.0-4.3.14.4.0-4.4.5, 5.1.0-5.4.0
2854784
After building VLAN or VXLAN interfaces, MLAG becomes unstable.4.3.0-4.4.14.4.2-4.4.5, 5.0.0-5.4.0
2853630
In an MLAG and VXLAN Active Active configuration, when you add a new VNI on the primary MLAG switch only, you see packet loss over the old VNI.4.3.04.3.1-4.4.5
2848219
On Dell S3048 switches configured for 802.1x auth, you might see file descriptor exhaustion with Hostapd messages indicating that Cumulus Linux is unable to open /dev/urandom or write out the transient ACL files
To work around this issue, reboot the switch.
3.7.15, 4.3.03.7.16, 4.3.1-4.4.5
2845531
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address.4.2.1-4.4.55.0.0-5.4.0
2840819
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts).4.0.0-4.3.04.3.1-4.4.5, 4.4.2-4.4.5, 5.0.0-5.4.0
2838905
On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. To work around this issue, use the chrony implementation of NTP instead of ntpd. chrony synchronizes the system clock faster and with better accuracy
Instructions for using chrony are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/
4.3.0-4.4.5
2837378
The switch duplicates DHCP packets that pass through the VTEP.4.3.0, 4.4.0-5.1.04.3.1, 5.2.0-5.4.0
2827336
After bringing up a bridge port, there is a multi second delay before the bridge port is able to learn any MAC addresses or neighbors, which causes a forwarding delay (about six seconds with 300 or more VLANs).3.7.15-3.7.16, 4.3.0-4.4.5
2820565
SNMP does not start and you see errors similar to the following:
cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-10-11 14:38:13 UTC; 1min 8s ago
Process: 1987 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=exited, status=1/FAILURE)
Main PID: 1987 (code=exited, status=1/FAILURE)
To work around this issue, run the sudo systemctl restart snmpd.service command.
4.3.0-4.4.55.0.0-5.4.0
2816069
On the EdgeCore AS7326 switch, unicast ARP requests are not forwarded to the control plane.4.2.1-4.3.04.3.1-4.4.5
2815646
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence.3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.13.7.16, 4.3.1, 5.1.0-5.4.0
2803044
In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16
2794766
The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up.4.3.0-4.4.55.0.0-5.4.0
2792750
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely.3.7.15-4.3.0, 4.4.0-4.4.54.3.1
2792616
If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information.4.3.0-4.4.55.0.0-5.4.0
2786264
When the switchd service restarts, any dropped traffic registered by WJH change to unregistered and WJH stops reporting all dropped traffic. This occurs because the WJH service does not restart automatically when the switchd service restarts
To work around this issue, manually restart WJH with the sudo systemctl restart what-just-happened.service command every time the switchd service restarts.
4.3.04.3.1-4.4.5
2783611
If you remove ports from a bridge and add IP addresses in one ifreload, connected routes are bound to the wrong routing information field.4.3.0-4.4.14.4.2-4.4.5
2782033
The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
More details at https://www.openssl.org/news/secadv/20210824.txt
Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7
4.0.0-4.4.14.4.2-4.4.5
2781537
In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD.4.3.0-4.4.55.0.0-5.4.0
2771871
IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address
This affects failed neighbor entries on routed interfaces that are not SVIs.
4.3.0-4.4.14.4.2-4.4.5
2770030
When you modify the default pre-auth policy located in /etc/cumulus/acl/policy.d/dot1x_preauth_dacl, after restarting hostapd the /etc/cumulus/acl/policy.d/dot1x_preauth_dacl directory is deleted and recreated with the default rule set that comes from the hostapd binary.4.3.04.3.1-4.4.5
2755615
When route_preferred_over_neigh is set to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry.4.0.0-4.3.0, 4.4.0-4.4.14.3.1, 4.4.2-4.4.5, 5.0.0-5.4.0
2754791
Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP.3.7.14.2-3.7.16, 4.3.0-4.4.5
2754691
CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking)
Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1
4.0.0-4.4.14.4.2-4.4.5
2754685
CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data
Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1
4.0.0-4.4.14.4.2-4.4.5
2754679
CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device
CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code
Vulnerable: <= 5.50-1.2~deb10u1Fixed: 5.50-1.2~deb10u2
4.0.0-4.4.14.4.2-4.4.5
2753955
On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails.4.2.1-4.4.55.0.0-5.4.0
2747605
CVE-2021-3246: a buffer overflow in libsndfile, a libraryfor reading/writing audio files, which could result in denial of serviceor potentially the execution of arbitrary code when processing amalformed audio file
Vulnerable: 1.0.28-6Fixed: 1.0.28-6+deb10u1
4.0.0-4.4.14.4.2-4.4.5
2743186
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish.3.7.15-5.1.05.2.0-5.4.0
2739690
CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure
Vulnerable: 1.24.1-1Fixed: 1.24.1-1+deb 10u1
4.0.0-4.4.14.4.2-4.4.5
2739639
CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST
Vulnerable: <= 1.17-3+deb10u1Fixed: 1.17-3+deb10u2
4.0.0-4.4.14.4.2-4.4.5
2739402
The destination MAC address of ERSPAN GRE packets is set to all zeros.4.3.0-4.4.55.0.0-5.4.0
2736265
After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes.3.7.12-3.7.15, 4.2.1-4.3.03.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2734122
CVE-2021-33910: The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memorycorruption, allowing to crash systemd and hence the entire operating system. Details can be found at https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt
Vulnerable: <= 241-7~deb10u7Fixed: 241-7~deb10u8
4.0.0-4.4.14.4.2-4.4.5
2734119
The ESI line in the show bgp l2vpn evpn route command output always shows VNI: 0. This is a cosmetic software issue.4.3.0-4.4.55.0.0-5.4.0
2734107
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs.3.7.12-4.3.0, 4.4.0-4.4.14.3.1, 4.4.2-4.4.5
2734103
ACL [No More Resources] messages keep appearing and you can’t reinstall the ACL.4.3.0-5.1.05.2.0-5.4.0
2732587
The bridge MAC address is updated during a port change on bridge interfaces.4.3.0, 4.4.0-4.4.54.3.1, 5.0.0-5.4.0
2730225
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs.3.7.12-4.3.0, 4.4.0-4.4.14.3.1, 4.4.2-4.4.5
2728207
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2728206
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2728205
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.3.7.0-4.4.14.4.2-4.4.5
2728138
CM-33237
CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u4
Fixed: 2.4.47+dfsg-3+deb10u5
4.0.0-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2728134
CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u5
Fixed: 2.4.47+dfsg-3+deb10u6
4.0.0-4.3.14.4.0-4.4.5
2728119
When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command.4.3.0-4.4.55.0.0-5.4.0
2724191
On the Celestica Seastone switch, when you run smonctl -v, the DIMM 1 Temp Sensor shows as absent
This is a cosmetic software issue and not indicative of a hardware failure on the system.
4.3.04.3.1-4.4.5
2716822
The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports.3.7.15-4.3.04.3.1-4.4.5
2713888
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode.
3.7.15-5.0.15.1.0-5.4.0
2711533
On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate.4.2.1-4.4.5
2710208
The net show bgp neighbor command output shows the BFD status as UP even when the BGP neighbor is not established, such as when the interface is down.4.2.1-4.4.5
2706744
In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event.4.3.0-4.4.14.4.2-4.4.5
2705056
SVIs do not inherit the pinned MAC address of the bridge.4.3.0, 5.0.0-5.4.04.3.1-4.4.5
2701000
A default route learned from DHCP on eth0 in the management VRF might install in the default VRF if eth0 is disconnected and the original next hop is reachable in the default VRF. To work around this issue, delete the DHCP lease file for eth0 with the sudo rm /var/lib/dhcp/dhclient.eth0.leases command.4.3.0, 5.0.0-5.4.04.3.1-4.4.5
2700767
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration.3.7.12-3.7.15, 4.3.0-4.4.53.7.16
2699399
When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!
To workaround this issue, run the command against each VRF independently.
3.7.15, 4.0.0-4.3.03.7.16, 4.3.1-4.4.5
2699378
Following an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer-ip-mismatch. This behavior is seen when you use a clagd-peer-ip linklocal configuration.4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2695526
CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1
4.0.0-4.3.14.4.0-4.4.5
2695314
In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart.4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2687159
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed
Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1
4.0.0-4.3.14.4.0-4.4.5
2685994
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
4.0.0-5.0.15.1.0-5.4.0
2685584
A host migrated to an 802.1x port within the same broadcast domain does not have the correct static FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain.4.2.1-4.3.04.3.1-4.4.5
2684418
If you configure items in a VRF that has been created, deleted, then re-created, staticd crashes.4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2682971
CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed
Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1
4.0.0-4.3.14.4.0-4.4.5
2682780
Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file.
4.2.0-4.3.14.4.0-4.4.5
2679950
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1
3.7.0-3.7.15, 4.0.0-4.3.13.7.16, 4.4.0-4.4.5
2677049
CM-33247
CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687: Several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, could result in denial of service, cache poisoning or the execution of arbitrary code.4.0.0-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2671667
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4
4.0.0-4.3.14.4.0-4.4.5
2669873
In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE.4.3.0-4.4.5
2669858
CM-32169
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper.
3.7.14-3.7.16, 4.0.0-4.4.5
2669073
On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stopped
To work around this issue, start the MST service with the sudo mst start command.
4.3.0-4.3.14.4.0-4.4.5
2666838
CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code
Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2
4.0.0-4.3.14.4.0-4.4.5
2663479
CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption
Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1
4.0.0-4.3.14.4.0-4.4.5
2660583
In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double-failure (peer link failure and backup IP failure)4.3.04.3.1-4.4.5
2656527
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1
4.0.0-4.3.14.4.0-4.4.5
2654715
None
The cl-acltool takes a significant amount of time to run, which can slow down automation scripts.4.2.0-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2652003
When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration.3.7.10-3.7.15, 4.3.03.7.16, 4.3.1-4.4.5
2648658
If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure.3.7.15-4.3.14.4.0-4.4.5
2648587
CM-29978
The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged.3.7.8-3.7.14.2, 4.0.0-4.3.03.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2645609
None
The NCLU net show route vrf summary and vtysh show [ip|ipv6] route vrf summary commands do not return any output.4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2644072
When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role.3.7.15, 4.3.03.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2644053
The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5
4.0.0-4.3.14.4.0-4.4.5
2639303
When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: ‘NoneType’ object has no attribute ‘conf_key_value_multiple_values’See /var/log/netd.log for more details.
4.3.0-4.4.5
2633062
The following vulnerability affects the libgstreamer-plugins-base1.0-0 package. There is no CVE yet; the Debian advisory number is DSA-4903-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: 1.14.4-2Fixed: 1.14.4-2+deb10u1
4.0.0-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2632379
When you upgrade the switch with apt-get upgrade, the kexec-tools package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly.4.3.0-4.3.14.4.0-4.4.5
2628515
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3
3.7.14-3.7.14.2, 4.3.0-4.3.13.7.15-3.7.16, 4.4.0-4.4.5
2628493
On a PFC configured switch, non PFC enabled ports might transmit or receive traffic incorrectly after a reboot. To work around this issue, either run the echo 1 > /cumulus/switchd/config/traffic/reload command or the sudo systemctl restart switchd.service command.4.3.04.3.1-4.4.5
2618227
The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs.4.3.0-4.4.5
2617000
CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure
Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1
4.0.0-4.3.14.4.0-4.4.5
2616998
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1
4.0.0-4.3.14.4.0-4.4.5
2616987
CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image
Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2
4.0.0-4.3.14.4.0-4.4.5
2616976
Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers
CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file
CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection
CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port
CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION)
CVE-2020-8286: failure to verify that OSCP response matches intended certificate
CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header
CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check
Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2
4.0.0-4.3.14.4.0-4.4.5
2616967
CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack
Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3
4.0.0-4.3.14.4.0-4.4.5
2616964
CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service
Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2
4.0.0-4.3.14.4.0-4.4.5
2616954
CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service
Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6
4.0.0-4.3.14.4.0-4.4.5
2614016
The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module.4.2.0-4.3.14.4.0-4.4.5
2599274
On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown <bond_name> ; sleep 1 ; ifup <bond_name>.
4.3.0-4.4.55.0.0-5.4.0
2582639
On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap.4.3.0-4.3.14.4.0-4.4.5
2578872
CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service
Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1
4.0.0-4.3.14.4.0-4.4.5
2578870
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2
4.0.0-4.3.14.4.0-4.4.5
2578845
CM-30832
The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages.3.7.11-3.7.14, 4.1.1-4.3.03.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2577499
QSFP+ 40G optics do not work on Spectrum platforms.4.3.0-4.3.14.4.0-4.4.5
2574368
When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr.
4.1.1-4.4.5
2566880
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.3.7.14-3.7.14.2, 4.0.0-4.3.13.7.15-3.7.16, 4.4.0-4.4.5
2564534
Several vulnerabilities have been discovered in the GRUB2 bootloader
CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled
CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command
CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization
CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline
CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled
CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser
CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering.
4.0.0-4.3.14.4.0-4.4.5
2556816
CM-33419
When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression.
3.7.14-3.7.14.2, 4.3.03.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2556782
CM-33398
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1
3.7.14-3.7.14.2, 4.0.0-4.3.13.7.15-3.7.16, 4.4.0-4.4.5
2556777
CM-33395
CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence.
Vulnerable: 4.6.2-3
Fixed: 4.6.2-3+deb10u1
4.0.0-4.3.14.4.0-4.4.5
2556775
CM-33393
DSA-4859-1 (no CVE): zstd, a compression utility, was vulnerable to a race condition: it temporarily exposed, during a very short timeframe, a world-readable version of its input even if the original file had restrictive permissions.
Vulnerable: <= 1.3.8+dfsg-3+deb10u1
Fixed: 1.3.8+dfsg-3+deb10u2
4.0.0-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2556772
CM-33391
The net show clag verify-vlans command fails with the following log:

WARNING: ‘/usr/bin/clagctl verifyvlans’ failed due to:
Command ‘['/usr/bin/clagctl’, ‘verifyvlans’]’ returned non-zero exit status 1

To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command.
4.2.1-4.4.5
2556764
CM-33385
In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge.3.7.14-3.7.14.2, 4.0.0-4.3.03.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5
2556730
CM-33359
CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code.
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2
Fixed: 9.11.5.P4+dfsg-5.1+deb10u3
4.0.0-4.3.14.4.0-4.4.5
2556691
CM-33334
The following vulnerabilities have been announced in the openssl packages:
CVE-2021-23840: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.
CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained
within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.
CVE-2019-1551: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.
Vulnerable: <= 1.1.1d-0+deb10u4
Fixed: 1.1.1d-0+deb10u5
4.0.0-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2556602
CM-33305
Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event:
unhandled exception:
Traceback (most recent call last):
File “/usr/sbin/clagd”, line 1304, in PeerRecvT
PeerRecv()
File “/usr/sbin/clagd”, line 513, in PeerRecv
ParseProtoBufMessage(nlm, myPeerMsg)
File “/usr/sbin/clagd”, line 853, in ParseProtoBufMessage
msgData = FdbSync.ParseProtoBufMessage(msgHdr)
File “/usr/lib/python3/dist-packages/clag/fdbsync.py”, line 892, in ParseProtoBufMessage
msgData.ParseFromString(msgHdr.data)
google.protobuf.message.DecodeError: Error parsing message
4.3.04.3.1-4.4.5
2556591
CM-33300
After upgrading to Cumulus Linux, MLAG ports might remain down with clagctl and net show clag reporting bridge-priority-mismatch
To work around this issue, run the sudo ifreload -a command on both peers, or configure bridge-bridgeprio to be the same value as mstpctl-treeprio on the bridge interface in the /etc/network/interfaces file, then run sudo ifreload -a.
4.3.04.3.1-4.4.5
2556569
CM-33283
DSA-4850-1 (no CVE): libzstd adds read permissions to files while being compressed or uncompressed.
Vulnerable: 1.3.8+dfsg-3
Fixed: 1.3.8+dfsg-3+deb10u1
4.0.0-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2556500
CM-33258
Cumulus Linux does not support bond members at 200G or greater.4.0.0-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2556462
CM-33239
When you remove a fan tray, smonctl and sensors display different information about the removed fans.4.2.1-4.3.04.3.1-4.4.5
2556369
CM-33196
If you use NCLU to configure an ACL for eth0, you can’t designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.
To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with “-A INPUT -i eth0”.
4.2.1-4.4.5
2556249
CM-33139
On a Mellanox switch configured with the max acl-heavy or ip-acl-heavy profile, the cl-resource-query -j command takes a long time to run.4.3.04.3.1-4.4.5
2556082
CM-33050
The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
4.2.1-4.4.5
2556081
CM-33049
You cannot set the time zone can with NCLU commands.4.1.1-4.4.5
2555932
CM-32953
On Mellanox switches, you can’t ping the SVI of the MLAG peer over the peer link after the packet is VXLAN decapsulated.4.2.1-4.3.04.3.1-4.4.5
2555873
CM-32914
On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic.4.3.0-4.4.5
2555763
CM-32861
The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: — /run/nclu/frr/frr.conf.scratchpad.baseline 2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad 2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor.
4.3.0-4.4.5
2555613
CM-32786
The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen).
4.2.1-4.4.5
2555318
CM-32612
If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact.
4.3.0-4.4.5
2554986
CM-32416
The ethtool utility doesn’t contain the latest values, as a result the Revision Compliance field shows Unallocated.4.2.1-4.4.5
2554812
CM-32296
If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes.4.2.1-4.4.5
2554798
CM-32286
On the Mellanox SN3700C switch, PIM multicast packets are duplicated at the egress VTEP.4.2.0-4.3.04.3.1-4.4.5, 4.4.0-4.4.5
2554783
CM-32274
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes.
4.2.1-4.4.55.0.0-5.4.0
2554709
CM-32217
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM.
3.7.13-3.7.16, 4.2.1-4.4.5
2554670
CM-32194
When you have a large number of ACLs, the cl-acltool -L ip and cl-resource-query commands take a long time to complete.4.3.0-4.4.5
2554582
CM-32144
On switches with the Maverick ASIC, control traffic is dropped due to receive buffering.4.2.0-4.4.5
2554533
CM-32112
On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms).4.0.0-4.4.5
2554466
CM-32068
Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
4.2.1-4.4.5
2554299
CM-31962
In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart.4.2.0-4.3.14.4.0-4.4.5
2554261
CM-31948
On Broadcom switches, when you create a VNI interface, switchd might crash with the following log message:
switchd[6628]: log.c:72 CRIT backend/bcm/hal_bcm_vxlan.c:1285: : Assertion ‘0’ failed.
4.3.04.3.1-4.4.5
2554222
CM-31921
The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
vxlan-id 30
bridge-access 30
bridge-arp-nd-suppress on
bridge-learning on
vxlan-local-tunnelip 10.10.10.1
mstpctl-bpduguard yes
mstpctl-portbpdufilter yes
mtu 9166
4.2.1-4.4.5
2554218
CM-31917
MLAG packets received on the peer link are dropped instead of routed.4.2.0-4.4.5
2554202
CM-31904
The output of the net show commit command does not show the last commit or the specified commit number but is empty instead.4.2.1-4.4.5
2553989
CM-31759
Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down.4.2.1-4.4.5
2553887
CM-31700
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server.
3.7.7-3.7.16, 4.0.0-4.4.5
2553677
CM-31605
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config –create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:
createUser userSHAwithAES SHA “shaauthpass” AES “aesprivpass”
adding the following line to /snmp/snmpd.conf:
rwuser userSHAwithAES
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation.
3.7.13-3.7.16, 4.0.0-4.4.5
2553237
CM-31418
The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

4.2.0-4.4.5
2553116
CM-31357
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.
3.7.12-3.7.16, 4.0.0-4.4.5
2553015
CM-31300
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.16, 4.2.0-4.4.5
2552691
CM-31111
On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port.
4.2.0-4.4.5
2552453
CM-30987
On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.
To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file.
4.2.0-4.4.5
2552309
CM-30889
The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:


Hal_bcm_console.c:294 MMU config profile 0 prigroup 0: Service Pool 0 has no space and cannot be assigned
Hal_bcm_console.c:294 MMU config port 0 idx 0: Pool 0 has no space and cannot be assigned


These messages are for internal validation purposes only and can be safely ignored.

4.2.0-4.4.5
2552294
CM-30879
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
3.7.12-3.7.16, 4.0.0-4.4.5
2552266
CM-30863
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.
-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.
Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.
If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.
To disable scp completely, use /bin/chmod 0 /usr/bin/scp .
3.7.14-3.7.16, 4.0.0-4.4.5
2551666
CM-30473
If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:

warning: : interface not recognized - please check interface configuration

4.1.0-4.4.5
2551578
CM-30422
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.16, 4.0.0-4.4.5
2551565
CM-30414
If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands.
3.7.13-3.7.16, 4.2.0-4.4.5
2551335
CM-30312
When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands.4.0.0-4.4.5
2551305
CM-30296
The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

3.7.12-3.7.16, 4.1.0-4.4.5
2551273
CM-30280
On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux.4.1.0-4.4.5
2551221
CM-30255
When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport’s IP address don’t reach switchport. To capture packets directed towards switcport’s IP, disable span-to-cpu and use tcpdump on swichport instead.4.2.0-4.4.5
2551111
CM-30230
If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address.
4.0.0-4.4.5
2550974
CM-30195
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.16, 4.1.1-4.4.5
2550793
CM-30101
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.16, 4.0.0-4.4.5
2550713
CM-30052
Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.
To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration.
4.1.1-4.4.5
2550704
On the Mellanox SN3420 switch, 25G SR optics only link up in force mode.4.3.0-4.3.14.4.0-4.4.5
2550642
CM-30006
ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches4.2.0-4.4.5
2550444
CM-29872
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.16, 4.0.0-4.4.5
2550443
CM-29871
The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.16, 4.0.0-4.4.5
2550243
CM-29759
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
3.7.12-3.7.16, 4.0.0-4.4.5
2550056
CM-29652
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue…
3.7.12-3.7.16, 4.1.1-4.4.5
2549925
CM-29594
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:

error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.16, 4.0.0-4.4.5
2549872
CM-29562
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.16, 4.1.1-4.4.5
2549782
CM-29519
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.16, 4.0.0-4.4.5
2549731
CM-29492
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1
3.7.12-3.7.16, 4.1.1-4.4.5
2549392
CM-29319
When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file.
To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command.
4.1.0-4.4.5
2549371
CM-29309
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.14.4.0-4.4.5
2548924
CM-29146
On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic.4.1.1-4.4.5
2548657
CM-29035
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.16, 4.0.0-4.4.5
2548579
The following security vulnerability has been announced:
CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
3.7.12, 4.0.0-4.4.53.7.13-3.7.16
2548315
CM-28816
The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.7.12-3.7.16, 4.0.0-4.4.5
2548310
CM-28812
When the system boots, we might see " cumulus systemd-udevd[7566]: Process ‘/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25’ failed with exit code 1" errors.

These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later;
4.1.0-4.4.5
2548260
CM-28770
The net add routing route-map permit set community command does not add the set statement into the /etc/frr/frr.conf file.4.0.0-4.4.5
2548243
CM-28754
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.16, 4.0.0-4.4.5
2548117
CM-28659
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX.3.7.12-3.7.16, 4.0.0-4.4.5
2548062
CM-28622
When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches).4.1.0-4.4.5
2548044
CM-28608
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor.3.7.12-3.7.15, 4.0.0-4.4.53.7.16
2547903
CM-28506
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs
Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1
4.0.0-4.4.5
2547890
CM-28497
QinQ across VXLAN on a traditional bridge does not work.4.1.0-4.4.5
2547782
CM-28441
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns.3.7.11-3.7.16, 4.0.0-4.4.5
2547706
CM-28397
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch.
3.7.11-3.7.16, 4.0.0-4.4.5
2547405
CM-28226
When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run ‘systemctl daemon-reload’.
4.0.0-4.4.5
2547120
CM-28076
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command.3.7.11-3.7.16, 4.0.0-4.4.5
2546991
CM-28003
The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.16, 4.0.0-4.4.5
2546895
CM-27957
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.16, 4.0.0-4.4.5
2546874
CM-27950
On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch.4.0.0-4.4.5
2546255
CM-27637
On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time.4.0.0-4.4.5
2546225
CM-27627
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support.
 
sudo onie-install -fai http://
sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image.
3.7.11-3.7.16, 4.0.0-4.4.5
2546131
CM-27581
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present.
3.7.11-3.7.16, 4.0.0-4.4.5
2545837
CM-27444
If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command.
3.7.10-3.7.11, 4.0.0-4.4.53.7.12-3.7.16
2545520
CM-27243
The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages.3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2545239
CM-27099
On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported.4.0.0-4.3.14.4.0-4.4.5
2545233
CM-27094
On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power.4.0.0-4.4.5
2545125
CM-27018
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.16, 4.0.0-4.4.5
2544978
CM-26921
If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.16, 4.0.0-4.4.5
2544968
CM-26913
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf”

should be:

sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf”

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.16, 4.0.0-4.4.5
2544957
CM-26907
NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge.4.0.0-4.4.5
2544953
CM-26905
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.16, 4.0.0-4.4.5
2544880
CM-26860
When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown.4.0.0-4.4.5
2544723
CM-26769
Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link.3.7.6-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2544463
CM-26599
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.16, 4.0.0-4.4.5
2544456
CM-26595
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.16, 4.0.0-4.4.5
2544311
CM-26516
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.16, 4.0.0-4.4.5
2544155
CM-26423
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

3.7.5-3.7.16, 4.0.0-4.4.5
2544113
CM-26412
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.16, 4.0.0-4.4.5
2543937
CM-26308
An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2.
3.7.8-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543900
CM-26288
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.16, 4.0.0-4.4.5
2543841
CM-26256
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
3.7.8-3.7.16, 4.0.0-4.4.5
2543816
CM-26241
On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
3.7.6-3.7.11, 4.0.0-4.4.53.7.12-3.7.16
2543781
CM-26217
NCLU does not allow you to configure OSPF NSSAs. For example:

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa
ERROR: Command not found.
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example:

switch# configure terminal
switch(config)# router ospf
switch(config-router)# area 0.0.0.1 nssa
3.7.7-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543724
CM-26179
If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:

ERROR: ‘ascii’ codec can’t encode character u'\xe9' in position 3: ordinal not in range(128)
See /var/log/netd.log for more details.
3.7.7-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543646
CM-26136
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.16, 4.0.0-4.4.5
2543401
CM-25986
On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish.
4.0.0-4.4.5
2543211
CM-25890
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
3.7.0-3.7.16, 4.0.0-4.4.5
2543164
CM-25859
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.16, 4.0.0-4.4.5
2543096
CM-25815
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
3.7.6-3.7.16, 4.0.0-4.4.5
2542945
CM-25740
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
3.7.6-3.7.16, 4.0.0-4.4.5
2542837
CM-25674
On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule.3.7.6-3.7.8, 4.0.0-4.4.53.7.9-3.7.16
2542305
CM-25400
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
3.7.6-3.7.16, 4.0.0-4.4.5
2542301
CM-25397
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
3.7.3-3.7.16, 4.0.0-4.4.5
2541212
CM-24894
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.16, 4.0.0-4.4.5
2541029
CM-24799
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.16, 4.0.0-4.4.5
2540753
CM-24618
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
 
ERROR: No closing quotation
See /var/log/netd.log for more details.

3.7.5-3.7.16, 4.0.0-4.4.5
2540444
CM-24473
SNMP incorrectly requires engine ID specification.
3.7.4-3.7.16, 4.0.0-4.4.5
2540352
CM-24435
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct:
 
net add routing route-map Proxy-ARP permit 25 match interface swp9
net add routing route-map Proxy-ARP permit 30 match interface swp10

3.7.2-3.7.16, 4.0.0-4.4.5
2540340
CM-24426
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf ip address
command works correctly.
3.7.4-3.7.16, 4.0.0-4.4.5
2540274
CM-24379
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.16, 4.0.0-4.4.5
2540204
CM-24350
When links come up after FRR is started, VRF connected routes do not get redistributed.3.7.4-3.7.16, 4.0.0-4.4.5
2540192
CM-24343
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.16, 4.0.0-4.4.5
2540155
CM-24332
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
3.7.3-3.7.16, 4.0.0-4.4.5
2540042
CM-24272
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface br0.100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# vrrp 1 advertisement-interval
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540041
CM-24271
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface vlan100
switch(config-if)# vrrp 1 priority 110
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540040
CM-24270
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
 
cumulus@switch:~$ sudo vtysh
switch# configure terminal
switch(config)# interface swp4
switch(config-if)# vrrp 1 version 2
switch(config-if)# no vrrp 1 preempt
switch(config-if)# end
switch# write memory
switch# exit
cumulus@switch:~

3.7.4-3.7.16, 4.0.0-4.4.5
2540031
CM-24262
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist.
3.7.3-3.7.16, 4.0.0-4.4.5
2539994
CM-24241
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
 
cumulus@switch:~$ net del bgp neighbor fabric peer-group
‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’

3.7.2-3.7.16, 4.0.0-4.4.5
2539962
CM-24222
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.
3.7.0-3.7.16, 4.0.0-4.4.5
2539670
CM-24035
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
3.7.2-3.7.16, 4.0.0-4.4.5
2539124
CM-23825
The net add interface ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.16, 4.0.0-4.4.5
2538790
CM-23665
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.16, 4.0.0-4.4.5
2538590
CM-23584
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
3.7.2-3.7.16, 4.0.0-4.4.5
2538562
CM-23570
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.16, 4.0.0-4.4.5
2538294
CM-23417
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.16, 4.0.0-4.4.5
2537699
CM-23075
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
3.7.1-3.7.16, 4.0.0-4.4.5
2537544
CM-23021
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.16, 4.0.0-4.4.5
2536576
CM-22554
If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
4.0.0-4.4.5
2536384
CM-22386
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
3.7.0-3.7.16, 4.0.0-4.4.5
2536256
CM-22301
For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
 
A $INGRESS_CHAIN –in-interface $INGRESS_INTF -m addrtype –dst-type
IPROUTER -j POLICE –set-mode pkt –set-rate 400 –set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
4.0.0-4.4.5
2536242
CM-22287
On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes.4.0.0-4.4.5
2536179
CM-22228
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.16, 4.0.0-4.4.5
2535986
CM-22041
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart.
3.7.0-3.7.16, 4.0.0-4.4.5
2535965
CM-22020
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
3.7.0-3.7.16, 4.0.0-4.4.5
2535723
CM-21785
The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF.4.0.0-4.4.5
2535605
CM-21667
FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group.
4.0.0-4.4.5
2535209
CM-21278
The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment.
3.7.5-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2534734
CM-20813
Span rules matching the out-interface as a bond do not mirror packets.4.0.0-4.4.5
2533691
CM-19788
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.
3.7.12-3.7.16, 4.0.0-4.4.5
2533625
CM-19724
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.4.0.0-4.4.5
2533337
CM-19454
When you use NCLU to bring a bond admin down (net add bond link down), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.
To work around this issue, use the sudo ifdown command.
4.0.0-4.4.5
2531273
CM-17494
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.
To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information.
4.0.0-4.4.5

Fixed Issues in 4.3.0

Issue IDDescriptionAffects
2959067
ECMP produces errors indicating No More Resources and switchd crashes even when ECMP utilization is low.3.7.14.2-4.2.1
2687332
When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
aggregate-address 10.10.0.0/16 summary-only
redistribute connected
After:
ip route 10.10.0.0/16 Null0
!
address-family ipv4 unicast
redistribute connected route-map DENY-COMPONENTS
redistribute static
exit-address-family
ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
!
route-map DENY-COMPONENTS deny 10
match ip address prefix-list NO-COMPONENTS
!
route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed.
3.7.12-4.2.1
2556334
CM-33176
On the Mellanox SN-4700 switch, when you use a 2x100G configuration, the links do not come up.
2556279
CM-33160
CVE-2021-3156: A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug.
Vulnerable: <= 1.8.27-1+deb10u2
Fixed: 1.8.27-1+deb10u3
4.0.0-4.2.1
2556217
CM-33117
The following vulnerability affects lldpd:
CVE-2020-27827: A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine.
Fixed: 1.0.4-0-cl4.3.0u2
3.7.14-3.7.14.2, 4.0.0-4.2.1
2556215
CM-33115
When you run any of the vtysh show bgp ipv4 or show bgp ipv6 statistics commands, the bgpd service crashes.4.2.1
2556010
CM-32994
On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash.3.7.14, 4.0.0-4.2.1
2555761
CM-32860
The following vulnerabilities were announced in the p11-kit (libp11-kit0) packages:
CVE-2020-29361: Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.
CVE-2020-29362: A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.
CVE-2020-29363: A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value.
Vulnerable: 0.23.15-2
Fixed: 0.23.15-2_deb10u1
4.0.0-4.2.1
2555690
CM-32829
The NET-SNMP-EXTEND-MIB, disabled in Cumulus Linux 4.2.1 and 3.7.14 to prevent security vulnerability CVE-2020-15862, is re-enabled read-only.3.7.14-3.7.14.2, 4.2.1
2555588
CM-32774
You can’t delete a BGP community list created with NCLU.4.2.1
2555531
CM-32753
QinQ (802.1Q) packets routed to a layer 3 subinterface are still double tagged with the VLAN of the subinterface and the original inner VLAN when they leave the subinterface.4.2.0-4.2.1
2555528
CM-32750
In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer’s ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher.
3.7.14-4.2.1
2555492
CM-32728
On Broadcom switches, when WARN level switchd log messages are generated, switchd might crash resulting in a core file generated on the system.3.7.14
2555484
CM-32723
ospf6d restarts when you run the NCLU net show ospf6 databse command or the vtysh show ipv6 ospf6 database command.4.2.0-4.2.1
2555428
CM-32683
When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.
This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface.
3.7.13-3.7.15, 4.2.1
2555426
CM-32681
Broadcom switches running Cumulus Linux do not support EVPN Multihoming. When a BGP update with EVPN multihoming attributes is received, switchd crashes.
EVPN Multihoming is supported on Mellanox switches only.
4.2.1
2555400
CM-32661
On the Edgecore AS7312 switch, eth0 and swp use the same MAC address.3.7.14-3.7.14.2, 4.0.0-4.2.1
2555380
CM-32647
When you start asic-monitor, you might see increasing memory usage.4.2.1
2555373
CM-32641
CVE-2020-27350: Missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files.
CVE-2020-27351: Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service.
Vulnerable: apt <= 1.8.2.1, python-apt <= 1.8.4.1
Fixed: apt 1.8.2.2, python-apt 1.8.4.3
4.0.0-4.2.1
2555339
CM-32622
The following vulnerability has been announced in OpenSSL:
CVE-2020-1971: A flaw in the GENERAL_NAME_cmp() function could cause a NULL dereference when both GENERAL_NAMEs contain an EDIPARTYNAME, resulting in denial of service. More information can be found at https://www.openssl.org/news/secadv/20201208.txt .
Vulnerable: <= 1.1.1d-0+deb10u3
Fixed: 1.1.1d-0+deb10u4
4.0.0-4.2.1
2555223
CM-32554
An EVPN route map filter matching a VNI on egress on the originating router might not set a large-community correctly:

route-map TEST-TAG permit 10
match evpn vni 109001
set large-community 20:20:333
!

To work around this issue, remove the VNI match to allow the tag to be applied on egress.
The VNI match works if applied at some other non-originating router either in the ingress or egress direction.
4.2.1
2554990
CM-32420
When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond.
3.7.13-3.7.14.2, 4.0.0-4.2.1
2554982
CM-32412
CVE-2020-28196: MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
Vulnerable: 1.17-3
Fixed: 1.17-3+deb10u1
4.0.0-4.2.1
2554866
CM-32329
On the Mellanox SN3420 switch, 1000BaseT and 1000Base-SX/LX modules do not link up.4.2.1
2554834
CM-32311
CVE-2020-25709, CVE-2020-25710: Two vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u3
Fixed: 2.4.47+dfsg-3+deb10u4
4.0.0-4.2.1
2554809
CM-32294
Some non-Mellanox ethernet modules do not link up on the Mellanox SN3420 switch with Cumulus PSID in the Hardware revision. To see if a Mellanox SN3420 switch has the Cumulus PSID, check the output of mlxfwmanager for MSN3420-CxxxC_Ax in the Part Number Field. A Mellanox SN3420 switch with MSN3420-CxxxO_Ax has an Onie PSID and is unaffected by this issue.
To work around this issue, use Mellanox ethernet modules with the Mellanox SN3420 switch,
4.2.1
2554785
CM-32275
After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX=“cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch.
3.7.11-4.2.1
2554730
CM-32235
In an EVPN multihoming configuration, reloading FRR causes brief traffic loss.4.2.1
2554720
CM-32226
If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers.3.7.12-3.7.14.2, 4.0.0-4.2.1
2554711
CM-32219
On the Mellanox SN3700C switch, running cl-support with a large number of ports configured can cause switchd to crash.4.2.1
2554707
CM-32215
On the Dell S5048F-ON switch, optical transceivers do not come up and the modules are in reset mode.4.0.0-4.2.1
2554588
CM-32149
If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running
To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}” 
to:
DHCPD_PID="-pf {1}"
3.7.13-4.2.1
2554503
CM-32086
If the peer link does not trunk all VLANs on an MLAG bond, all FDB entries learned through that MLAG bond are not redirected over the peer link when the MLAG bond goes down. As a result, traffic destined to the MAC addresses that arrives on the MLAG peer with the downed MLAG port is dropped.
To work around this issue, ensure that the peer link trunks all VLANs that exist on all MLAG bonds.

4.2.0-4.2.1
2554401
CM-32030
On the Mellanox SN4600C switch, the fan speed fluctuates when only one PSU is plugged in.
To work around this issue, use both PSUs.
4.2.1
2554369
CM-32006
Certain Dell S4048-ON switches show an incorrect vendor name and hang when you issue the reboot command.3.7.12-4.2.1
2554333
CM-31982
The INPUT chain POLICE target acts as ACCEPT instead of continue.4.2.1
2554292
CM-31959
With traditional bridges, a race condition occurs when Cumulus Linux tries to derive MAC addresses.
To work around this issue, use a static MAC address; specify a MAC address in the /etc/network/interfaces file under the bridge’s stanza.
4.2.1
2554258
CM-31945
Interfaces configured to get an IP address with DHCP try only three times to secure a DHCP lease (instead of retrying indefinitely). If unsuccessful after the third try, the switch stops trying.4.2.1
2554253
CM-31942
After upgrading the Mellanox SN2410 switch, the FAN is set to full speed.4.2.1
2554246
CM-31936
When you back up and restore a configuration using the conf-backup utility, the switch might hang when rebooted.4.1.1-4.2.1
2553952
CM-31739
On Mellanox Spectrum based switches running 4.1.0 or higher, if FORWARD chain ACLs are configured on the system, a switch port breakout action applied with a reload of the switchd service may cause switchd to crash.4.2.0-4.2.1
2553747
CM-31627
On switches with the Spectrum ASIC, the IPv6 default route might be present in the kernel but missing in hardware when IPv6 RAs are received on SVIs configured with ip-forward off.3.7.11-3.7.14.2, 4.2.1
2553742
CM-31623
The next hop for static routes configured in a non-default VRF might be incorrectly flagged as inactive. Remove and reconfigure the static VRF route to recover from this condition.4.2.1
2553731
CM-31618
A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI.3.7.12-3.7.13, 4.0.0-4.2.1
2553586
CM-31565
Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn’t exist.
To work around this issue, disable IGMP snooping on the switch.
3.7.12-3.7.13, 4.0.0-4.2.1
2553568
CM-31560
After a MAC address moves from one remote VTEP to another, the MAC address continues to point to the old VTEP IP address in hardware.4.1.1-4.2.1
2553529
CM-31545
In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

3.7.10-3.7.13, 4.1.1-4.2.1
2553468
CM-31512
Digital Optical Monitoring (DOM) Data is displayed incorrectly on SFP fiber modules inserted in the Fiberstore N8500-48B6C, Celestica Questone, and Celestica RedstoneV switches.4.2.0-4.2.1
2553449
CM-31504
On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT.
To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously.
3.7.12-3.7.13, 4.2.1
2553349
CM-31469
When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number.
To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI.
4.2.0-4.2.1
2553278
CM-31441
Leaked routes are sometimes missing from the destination VRF after a reboot.4.2.0-4.2.1
2553228
CM-31412
On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform.3.7.12-3.7.13, 4.2.1
2553219
CM-31407
You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters.3.7.12-4.2.1
2553118
CM-31358
The Dell 100G-LR4 (Innolight) transceiver cannot link up due to a power budget exceeded error on the Mellanox SN4600C switch.4.2.0-4.2.1
2552939
CM-31263
RX_DRP on a bond interface increases without any data traffic while the slave port does not increase.3.7.12-4.2.1
2552880
CM-31238
IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped.
To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports.
3.7.13, 4.2.1
2552869
CM-31231
On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command.
3.7.13-4.2.1
2552853
CM-31222
Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address.3.7.12-3.7.14.2, 4.0.0-4.2.1
2552744
CM-31152
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks
CVE-2020-14351 CVE-2020-29660 CVE-2020-29661 CVE-2020-25704 CVE-2020-28974 CVE-2020-25705 CVE-2020-28915 CVE-2020-25211 CVE-2019-19338 CVE-2020-0305 CVE-2019-18885 CVE-2019-19072 CVE-2020-12652 CVE-2020-24394 CVE-2020-25641 CVE-2019-3874 CVE-2019-5489. (CVE-2020-27825 CVE-2020-29369 CVE-2020-29372 CVE-2020-29534 are not applicable to Cumulus Linux)For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux
4.2.0-4.2.1
2552742
CM-31150
On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd.
3.7.12-4.2.1
2552710
CM-31125
The MLAG bonds on a secondary switch do not change to a unique MAC address on the peerlink. As a result, a backup double failure can occur where both peers go down.4.2.0-4.2.1
2552704
CM-31120
In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface.3.7.10-3.7.14.2, 4.0.0-4.2.1
2552687
CM-31107
When you boot Cumulus VX 4.2 for the first time, ZTP does not execute because it thinks that the /etc/shadow file has been modified. This is due to the default password change implemented in CL 4.2.
To work around this issue, boot the switch, manually change the password, then run sudo ztp -R to reset the ZTP script.
4.2.0-4.2.1
2552527
CM-31028
Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated.3.7.7-3.7.13, 4.0.0-4.2.1
2552354
CM-30916
On the Mellanox SN4700 switch, you might see Bad signal integrity issues on 200G and 400G ports.4.2.1
2551873
CM-30555
If you have an existing community list of any type, redefining the same sequence number results in the entire community list being deleted.
To work around this issue, delete the community list sequence before trying to adjust it.
4.2.0-4.2.1
2551747
CM-30514
In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings.3.7.12-3.7.13, 4.0.0-4.2.1
2551687
CM-30485
When you run cl-ecmpcalc to determine a hardware hash result, tests might fail.4.2.0-4.2.1
2551422
CM-30361
On Mellanox switches with the Spectrum-2 switch, the lpm-balanced forwarding profile does not work.4.1.1-4.2.1
2551187
CM-30247
dot1qVlanIndex in the dot1qVlanStaticTable of the SNMP Q-BRIDGE-MIB does not use VLAN ID and does not comply with RFC 4363.4.1.1-4.2.1
2551124
CM-30231
When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:

bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static | dynamic ]

If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:

bridge fdb replace 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master static
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static | dynamic ]
4.0.0-4.2.1
2550973
CM-30194
After you enable ROCE with the net add interface storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output.4.1.1-4.2.1
2550906
CM-30159
After you delete a bond, the deleted bond members have the deleted bond MAC address instead of their original MAC address, which might result in traffic being discarded.
To work around this issue, perform a full switch restart.
4.1.1-4.2.1
2550796
CM-30103
On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs.
3.7.12-4.2.1
2550478
CM-29899
VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches.3.7.7-4.2.0
2550374
CM-29838
CPU utilization may increase when clag-managed bond interfaces are operationally/LACP down but the physical carrier remains up on the bond member switchports. This condition occurs when clag bond redirection is enabled and bond members remain up while the parent bond does not negotiate LACP.

This issue is resolved in Cumulus Linux 3.7.14.
3.7.9-3.7.13, 4.0.0-4.2.1
2550348
CM-29829
Due to a known limitation, DHCPv6 snooping is not supported on Mellanox platforms.
Please refer the Mellanox support case
4.2.0-4.2.1
2550276
CM-29779
In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.
All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent.
3.7.12-4.2.1
2549838
CM-29546
In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel.
If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel.
To work around this issue, delete, then re-add the missing VNI. For example:

cumulus@switch:~$ sudo ifdown vni10100
cumulus@switch:~$ sudo ifup vni10100

If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI.
3.7.12-4.2.1
2549784
CM-29520
On Mellanox switches, when the networking service and switchd starts up, a rare condition might occur where switchd crashes and the following log message is generated:

CRIT backend/mlx/hal_mlx_nexthop.c:294: hal_mlx_ecmp_data_reinit: Assertion ‘(num_next_hops)’ failed.
4.1.0-4.2.1
2549225
CM-29259
You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored.
3.7.12-3.7.14.2, 4.0.0-4.2.1
2548930
CM-29148
On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware.3.7.11-4.2.1
2548672
CM-29043
When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering.
3.7.12-3.7.15, 4.0.0-4.2.1
2548485
CM-28940
If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*> 50.0.0.0 0.0.0.0 32768 is> 50.0.0.1/32 0.0.0.0 0 32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Paths> 50.0.0.1/32 0.0.0.0 0 32768 i
To work around this issue, remove, then re-add the component prefix routes.
3.7.12-4.2.1
2548408
CM-28891
net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration.4.1.0-4.2.1
2547068
CM-28046
Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off”, change it to GRUB_CMDLINE_LINUX=“cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0”2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later.
3.7.9-4.2.1
2543647
CM-26137
ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64
3.7.6-4.2.1
2534977
None
On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets.4.0.0-4.2.1