Cumulus Linux 4.2 Release Notes

Download 4.2 Release Notes xls    Download all 4.2 release notes as .xls

4.2.1 Release Notes

Open issues in 4.2.1

Issue IDDescriptionAffectsFixed
CM-31545 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.
3.7.10-3.7.13, 4.1.1-4.2.1
CM-31469 When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number.
To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI.
4.2.0-4.2.1
CM-31418 The default NTP configuration is to use eth0 as the NTP source interfaces. In Cumulus Linux releases where eth0 is in the mgmt VRF by default, the ntp service automatically runs in the management VRF.
It is not recommended to run NTP with a source interface other than eth0 as this can be a security vulnerability.
Changing the NTP source interface name with NCLU to a non-management VRF interface
might result in NTP not functioning since the ntp service is still running in the mgmt VRF.
4.2.0-4.2.1
CM-31414 On the Mellanox SN4700 switch, 8x50G port breakout is not supported currently.4.2.1
CM-31407 You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters.3.7.12-3.7.13, 4.2.0-4.2.1
CM-31358 The Dell 100G-LR4 (Innolight) transceiver cannot be up due to a power budge exceeded error on the Mellanox SN4600C switch.4.2.0-4.2.1
CM-31327 After you manually edit the /etc/resolv.conf file to change or remove a VRF for a given DNS server, ifreload does not remove IP rules created for DNS servers in the VRF.
To work around this issue, run the net add/del dns nameserver <span class="error">&#91;vrf <name>&#93;</span> command to force the DNS configuration.
3.7.13, 4.1.1-4.2.1
CM-31300 If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.13, 4.2.0-4.2.1
CM-31263 RX_DRP on a bond interface increases without any data traffic while the slave port does not increase.3.7.12-3.7.13, 4.2.0-4.2.1
CM-31150 On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-31120 In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface.3.7.10-3.7.13, 4.0.0-4.2.1
CM-31111 On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port.
4.2.0-4.2.1
CM-31107 When you boot Cumulus VX 4.2 for the first time, ZTP does not execute because it thinks that the /etc/shadow file has been modified. This is due to the default password change implemented in CL 4.2.
To work around this issue, boot the switch, manually change the password, then run sudo ztp -R to reset the ZTP script.
4.2.0-4.2.1
CM-31073 When you set the sysctl settings net.ipv6.conf.all.accept_ra_defrtr (to prevent acceptance of IPv6 default route advertisements) and net.ipv6.conf.default.accept_ra_defrtr (set for newly created interfaces), if you create a new virtual interface, any pre-existing interface does not start accepting IPv6 default route avertisements again.
To work around this issue, when you create a new virtual interface, set net.ipv6.conf.<interface>.accept_ra_defrtr to 0 for all interfaces and run sysctl -p --system.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-31056 After configuring multiple dhcrelay6 instances, then restarting the dhcrelay6 relay service, replies are sent on the incorrect VLAN.
This problem does not occur if you only have one instance of dhcrelay6.Restart on both instances.
4.1.1-4.2.1
CM-31028 Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated.3.7.7-3.7.13, 4.0.0-4.2.1
CM-30987 On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.
To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file.
4.2.0-4.2.1
CM-30916 On the Mellanox SN4700 switch, you might see Bad signal integrity issues on 200G and 400G ports.4.2.1
CM-30879 NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.3.7.12-3.7.13, 4.0.0-4.2.1
CM-30863 OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.
-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.
Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.
If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.
To disable scp completely, use /bin/chmod 0 /usr/bin/scp .
3.0.0-3.7.13, 4.0.0-4.2.1
CM-30832 The Mellanox SN2700 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages.4.1.1-4.2.1
CM-30555 If you have an existing community list of any type, redefining the same sequence number results in the entire community list being deleted.
To work around this issue, delete the community list sequence before trying to adjust it.
4.2.0-4.2.1
CM-30514 In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings.3.7.12-3.7.13, 4.0.0-4.2.1
CM-30473 If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:
warning: : interface not recognized - please check interface configuration

4.1.0-4.2.1
CM-30422 When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.13, 4.0.0-4.2.1
CM-30414 If you toggle VRRP priority values between VRRP routers, then run a switchd restart, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected.
To work around this issue, remove, then add the VRRP configuration with NCLU commands or vtysh in FRR.
3.7.13, 4.2.0-4.2.1
CM-30361 On Mellanox switches with the Spectrum-2 switch, the lpm-balanced forwarding profile does not work.4.1.1-4.2.1
CM-30358 The Mellanox Spectrum-3 switch takes approximately fifteen seconds for ports to move from an admin up state to an operational up state. Also, restarting switchd takes more than 120 seconds.4.2.0-4.2.1
CM-30312 When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands.4.0.0-4.2.1
CM-30296 The net show configuration command provides the wrong net add command for ACL under the VLAN interface.3.7.12-3.7.13, 4.1.0-4.2.1
CM-30280 On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux.4.1.0-4.2.1
CM-30247 dot1qVlanIndex in the dot1qVlanStaticTable of the SNMP Q-BRIDGE-MIB does not use VLAN ID and does not comply with RFC 4363.4.1.1-4.2.1
CM-30231 When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static | dynamic ]

If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:
bridge fdb replace 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master static
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static | dynamic ]

4.0.0-4.2.1
CM-30230 If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address.
4.0.0-4.2.1
CM-30224 The show evpn mac vni <vni> mac <mac-address> command stops displaying “Sticky MAC” if that MAC address is seen on a local bridge port. The following example shows the command output before the MAC address is seen on a local bridge:
cumulus@switch:~$ net show evpn mac vni 24 mac 50:6b:4b:aa:aa:aa                                
MAC: 50:6b:4b:aa:aa:aa
Remote VTEP: 10.0.0.41 Sticky Mac
Local Seq: 0 Remote Seq: 0
Neighbors:
No Neighbors

The following example shows the command output after the MAC address is seen on a local bridge::
cumulus@switch:~$ net show evpn mac vni 24 mac 50:6b:4b:aa:aa:aa                                
MAC: 50:6b:4b:aa:aa:aa
Remote VTEP: 10.0.0.41
Local Seq: 1 Remote Seq: 0
Neighbors:
10.2.4.14 Inactive

4.0.0-4.2.1
CM-30195 On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.13, 4.1.1-4.2.1
CM-30194 After you enable ROCE with the net add interface <switch-port> storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output.4.1.1-4.2.1
CM-30182 The net show time ntp servers command does not show any output with management VRF.4.1.1-4.2.1
CM-30165 When you use a phone with EAP and voice VLAN is configured (and MAB is not configured), after the phone authenticates, all tagged traffic from the phone is dropped.
To work around this issue, enable MAB on the interface.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-30164 The /usr/share/zoneinfo/leap-seconds.list file expires periodically and results in log messages being generated about that expiration.
To work around this issue, you must update the file from https://www.ietf.org/timezones/data/leap-seconds.list or upgrade the tzdata package to the newest version.
4.0.0-4.2.1
CM-30159 After you delete a bond, the deleted bond members have the deleted bond MAC address instead of their original MAC address, which might result in traffic being discarded.
To work around this issue, perform a full switch restart.
4.1.1-4.2.1
CM-30103 On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-30101 The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.13, 4.0.0-4.2.1
CM-30089 Cumulus Linux supports a maximum of 300 ACLs for use with 802.1X interfaces. This limit encompasses the default ACLs, pre-auth ACLs and dynamic ACLs. Exceeding this limit can affect the performance of the switch.4.1.0-4.2.1
CM-30052 Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.
To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration.
4.1.1-4.2.1
CM-29978 The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged.3.7.8-3.7.13, 4.0.0-4.2.1
CM-29890 Multiple paths to identical EVPN prefixes are either not displayed or not accepted into the l2vpn evpn table if they are received from a different AS.3.7.12-3.7.13, 4.1.1-4.2.1
CM-29872 Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29871 The net show rollback description <string> command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29809 You might see a three second traffic outage after an MLAG secondary reboot when the MLAG bonds become dual-connected again.4.1.1-4.2.1
CM-29779 In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.
All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29759 When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:
#Requires=nginx.service restserver.socket

3.7.12-3.7.13, 4.0.0-4.2.1
CM-29652 The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
error: invalid signature.
Press any key to continue…

3.7.12-3.7.13, 4.1.1-4.2.1
CM-29603 When you move an interface from one VRF to another and modify the description in the same configuration operation, FRR crashes and restarts during a service reload. If these two changes occur in separate reloads, FRR does not crash.4.1.1-4.2.1
CM-29594 When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29562 If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.13, 4.1.1-4.2.1
CM-29546 In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel.
If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel.
To work around this issue, delete, then re-add the missing VNI. For example:
cumulus@switch:~$ sudo ifdown vni10100
cumulus@switch:~$ sudo ifup vni10100

If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29519 The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.13, 4.0.0-4.2.1
CM-29492 When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1

3.7.12-3.7.13, 4.1.1-4.2.1
CM-29319 When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file.
To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command.
4.1.0-4.2.1
CM-29309 When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-3.7.13, 4.0.0-4.2.1
CM-29259 You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29148 On MLX switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware.3.7.11-3.7.13, 4.0.0-4.2.1
CM-29146 On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic.4.1.1-4.2.1
CM-29043 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29035 When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-28940 If you configure aggregate-address <address> summary-only before a component of the same aggregate is injected into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:
Existing configuration:
router bgp 1
address-family ipv4 unicast
aggregate-address 50.0.0.0/8 summary-only
exit-address-family

If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 50.0.0.0 0.0.0.0 32768 i
s> 50.0.0.1/32 0.0.0.0 0 32768 i

Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
s> 50.0.0.1/32 0.0.0.0 0 32768 i

To work around this issue, remove, then re-add the component prefix routes.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-28891 net show configuration commands does not show the RoCE net add interface <swp> storage-optimized pfc configuration.4.1.0-4.2.1
CM-28816 The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.0.0-3.7.13, 4.0.0-4.2.1
CM-28770 The net add routing route-map <name> permit <seq> set community <comm> command does not add the set statement into the /etc/frr/frr.conf file.4.0.0-4.2.1
CM-28754 On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.13, 4.0.0-4.2.1
CM-28613 In EVPN Active-Active (MLAG) environments, rebooting one member of an MLAG pair should result in the local MAC mobility sequence number reverting to 0. Sometimes a reboot of one MLAG peer results in the local MAC mobility sequence number being set to a non-zero value despite that no more mobility events occur. This issue is cosmetic only, as BGP does not advertise the incorrect sequence number and forwarding entries correctly point to the remote VTEP where the MAC is now located.3.7.12-3.7.13, 4.0.0-4.2.1
CM-28611 In an EVPN Active-Active (MLAG) environment, sometimes a local-to-remote MAC mobility event results in the local sequence number appearing higher than the remote sequence number in zebra. This issue is cosmetic only, as BGP does not advertise the incorrect sequence number and forwarding entries correctly point to the remote VTEP where the MAC is now located.3.7.12-3.7.13, 4.0.0-4.2.1
CM-28497 QinQ across VXLAN on a traditional bridge does not work.4.1.0-4.2.1
CM-28489 The following CVEs were announced for rsyslog:
CVE-2019-17041 CVE-2019-17042rsyslogd, when receiving remote log messages (not enabled by default on Cumulus Linux) with the pmaisforwardedfrom or pmcisconames optional log parsers (also not enabled by default on Cumulus Linux), is vulnerable to CVE-2019-17041 and CVE-2019-17042 where malicious messages that appear to be from AIX or Cisco respectively may be caused to skip sanity checks, resulting in incorrect negative lengths causing heap overflows.
Vulnerable: 8.1901.0-1Recommendation:Do not enable receiving syslog messages from other hosts by the network (with $UDPServerRun or $InputTCPServerRun). Also, do not enable (with $ModLoad) the vulnerable parsers pmaixforwardedfrom or pmcisconames. The default /etc/rsyslog.conf file on Cumulus Linux does not enable any of these.
4.0.0-4.2.1
CM-28458 NCLU incorrectly allows you to configure port security on bond/MLAG interfaces.
Port security is not supported on bond/MLAG interfaces.
4.0.0-4.2.1
CM-28393 On the Dell S5232F-ON switch, EVPN and dynamic VRF route leaking results in the CPU forwarding traffic to newly-learned type-2 routes.
To work around this issue, restart FRR.
3.7.9-3.7.13, 4.0.0-4.2.1
CM-28249 On the Mellanox switch, when you modify the buffer and queue configuration without restarting switchd, you might see a one second interruption in forwarding.4.0.0-4.2.1
CM-28226 When you restart the hsflowd service, you see a systemd warning message similar to the following:
Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run ‘systemctl daemon-reload’.

4.0.0-4.2.1
CM-28080 TACACS+ through ClearPass is not currently supported. Cumulus Linux sends authorization before authentication, but ClearPass does not accept an authorization before the user is authenticated.3.7.11-3.7.13, 4.0.0-4.2.1
CM-28003 The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f <file> command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.13, 4.0.0-4.2.1
CM-27957 If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!

To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service.
To increase the systemd timeout:
  1. Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter.
  2. Restart the switchd service with the sudo systemctl restart switchd.service command.
    systemd will attempt to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.13, 4.0.0-4.2.1
CM-27950 On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch.4.0.0-4.2.1
CM-27642 The following CVEs were announced that affect the libssh package:
CVE-2019-14889 has been announced in the libssh library, where unsanitized user-provided scp command lines could allow an attacker to execute arbitrary commands on the server.
The libssh library is not installed on Cumulus Linux by default, but is available in the Cumulus Linux 4 repository for optional installation. Note that libssh is distinct from libssh2 and openssh, which are present on the switches and in the repositories.
See the following for more information:
https://www.libssh.org/security/advisories/CVE-2019-14889.txt
https://security-tracker.debian.org/tracker/CVE-2019-14889
4.0.0-4.2.1
CM-27444 If you use the NCLU commands to configure NTP and run the net add time ntp source <interface> command before you run the net add time ntp server <server> iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server <server> iburst command before you run the net add time ntp source <interface> command.
3.7.10-3.7.11, 4.0.0-4.2.13.7.12-3.7.13
CM-27243 The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages.3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-27143 On the Dell S5248F-ON switch, the CPU core temperature sensors show ABSENT.4.0.0-4.2.1
CM-27099 On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported.4.0.0-4.2.1
CM-27094 On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power.3.5.0-3.7.13, 4.0.0-4.2.1
CM-27018 If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.13, 4.0.0-4.2.1
CM-26942 Port security is not currently supported on VX. The NCLU commands produce errors.4.0.0-4.2.1
CM-26921 If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.13, 4.0.0-4.2.1
CM-26913 FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf"

should be:
sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.13, 4.0.0-4.2.1
CM-26907 NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge.4.0.0-4.2.1
CM-26905 When you update the hostname of a switch with the NCLU net add hostname <hostname> command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.13, 4.0.0-4.2.1
CM-26860 When you run the NCLU net show commit last or net show commit <number> command, where <number> is the last commit, no output is shown.4.0.0-4.2.1
CM-26769 Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link.3.7.6-3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-26599 Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.13, 4.0.0-4.2.1
CM-26595 The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.13, 4.0.0-4.2.1
CM-26516 Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.13, 4.0.0-4.2.1
CM-26423 NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.3.7.5-3.7.13, 4.0.0-4.2.1
CM-26412 Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.13, 4.0.0-4.2.1
CM-26308 An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2.
3.7.8-3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-26288 On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.13, 4.0.0-4.2.1
CM-26256 The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.3.7.8-3.7.13, 4.0.0-4.2.1
CM-26241 On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.3.7.6-3.7.11, 4.0.0-4.2.13.7.12-3.7.13
CM-26217 NCLU does not allow you to configure OSPF NSSAs. For example:
cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found.
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example:
switch# configure terminal 
switch(config)# router ospf
switch(config-router)# area 0.0.0.1 nssa

3.7.7-3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-26179 If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
ERROR: ‘ascii’ codec can’t encode character u’\xe9’ in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.

3.7.7-3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-26137 ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
-A FORWARD -i vni10 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64

3.7.6-3.7.13, 4.0.0-4.2.1
CM-26136 In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.13, 4.0.0-4.2.1
CM-25986 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish.
4.0.0-4.2.1
CM-25890 In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).3.7.0-3.7.13, 4.0.0-4.2.1
CM-25859 The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.13, 4.0.0-4.2.1
CM-25815 When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.3.7.6-3.7.13, 4.0.0-4.2.1
CM-25740 On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad 

3.7.6-3.7.13, 4.0.0-4.2.1
CM-25694 If a packet is policed by ebtables, it does not increment an ACL drop on the ingress interface. Instead, it increments the TDBGC3/6 drop counter to the CPU.3.7.6-3.7.13, 4.0.0-4.2.1
CM-25674 On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule.3.7.6-3.7.8, 4.0.0-4.2.13.7.9-3.7.13
CM-25400 If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.3.7.6-3.7.13, 4.0.0-4.2.1
CM-25397 When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.3.7.3-3.7.13, 4.0.0-4.2.1
CM-24894 The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.13, 4.0.0-4.2.1
CM-24799 On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.13, 4.0.0-4.2.1
CM-24652 In an EVPN environment, the centralized MAC address is not installed on the MLAG pair because Cumulus Linux does not perform an SVI MAC check per VLAN.
This issue does not affect a pure distributed routing (symmetric or asymmetric) environment or a pure centralized routing environment.
3.7.0-3.7.13, 4.0.0-4.2.1
CM-24618 If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
  ERROR: No closing quotation  See /var/log/netd.log for more details.  

3.6.1-3.7.13, 4.0.0-4.2.1
CM-24473 SNMP incorrectly requires engine ID specification.3.7.4-3.7.13, 4.0.0-4.2.1
CM-24435 When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
  net add routing route-map Proxy-ARP permit 25 match interface swp9-10  

These commands are correct:
  net add routing route-map Proxy-ARP permit 25 match interface swp9  net add routing route-map Proxy-ARP permit 30 match interface swp10  

3.7.2-3.7.13, 4.0.0-4.2.1
CM-24426 NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf <name> command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf <name> ip address <address> command works correctly.
3.7.4-3.7.13, 4.0.0-4.2.1
CM-24379 On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.13, 4.0.0-4.2.1
CM-24343 The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.13, 4.0.0-4.2.1
CM-24332 On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.3.7.3-3.7.13, 4.0.0-4.2.1
CM-24272 When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
  cumulus@switch:~$ sudo vtysh  switch# configure terminal  switch(config)# interface br0.100  switch(config-if)# vrrp 1 priority 110  switch(config-if)# vrrp 1 advertisement-interval  switch(config-if)# end  switch# write memory  switch# exit  cumulus@switch:~  

3.7.4-3.7.13, 4.0.0-4.2.1
CM-24271 On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
  cumulus@switch:~$ sudo vtysh  switch# configure terminal  switch(config)# interface vlan100  switch(config-if)# vrrp 1 priority 110  switch(config-if)# end  switch# write memory  switch# exit  cumulus@switch:~  

3.7.4-3.7.13, 4.0.0-4.2.1
CM-24270 Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU.
To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
  cumulus@switch:~$ sudo vtysh  switch# configure terminal  switch(config)# interface swp4  switch(config-if)# vrrp 1 version 2  switch(config-if)# no vrrp 1 preempt  switch(config-if)# end  switch# write memory  switch# exit  cumulus@switch:~  

3.7.4-3.7.13, 4.0.0-4.2.1
CM-24262 NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto <iface> lines exist.3.7.3-3.7.13, 4.0.0-4.2.1
CM-24241 When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
  cumulus@switch:~$ net del bgp neighbor fabric peer-group  ‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’  

3.7.2-3.7.13, 4.0.0-4.2.1
CM-24222 When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.3.7.0-3.7.13, 4.0.0-4.2.1
CM-24035 On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.3.7.2-3.7.13, 4.0.0-4.2.1
CM-23825 The net add interface <interface> ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.13, 4.0.0-4.2.1
CM-23665 NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan <layer3-vni> bridge access <vlan>. This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.13, 4.0.0-4.2.1
CM-23661 On the Mellanox switch, when you configure a GRE tunnel, the traffic behind the local tunnel endpoint destined through the GRE tunnel is software-forwarded.3.7.2-3.7.13, 4.0.0-4.2.1
CM-23651 In an EVPN symmetric routing configuration, when an IP address is frozen, kernel neighbor table information and kernel VRF routing table information about the frozen IP address might be out-of-sync.3.7.3-3.7.13, 4.0.0-4.2.1
CM-23584 When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.3.7.2-3.7.13, 4.0.0-4.2.1
CM-23570 On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.13, 4.0.0-4.2.1
CM-23418 For QSFP modules, the sudo ifdown command does not disable the Tx laser.3.7.2-3.7.13, 4.0.0-4.2.1
CM-23417 If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.13, 4.0.0-4.2.1
CM-23311 In an EVPN centralized routing configuration, where the layer 2 network extends beyond VTEPs, (for example, a host with bridges), the gateway MAC address does not get refreshed in the network when ARP suppression is enabled on the gateway.
To work around this issue, disable ARP suppression on the centralized gateway.
4.0.0-4.2.1
CM-23075 There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
  2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51  2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51  

Eventually the dhcrelay service stops.
3.7.1-3.7.13, 4.0.0-4.2.1
CM-23021 When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.13, 4.0.0-4.2.1
CM-22554 If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.3.6.2-3.7.13, 4.0.0-4.2.1
CM-22386 The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.3.7.0-3.7.13, 4.0.0-4.2.1
CM-22301 For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
  A $INGRESS_CHAIN –in-interface $INGRESS_INTF -m addrtype –dst-type  IPROUTER -j POLICE –set-mode pkt –set-rate 400 –set-burst 100  

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
3.6.1-3.7.13, 4.0.0-4.2.1
CM-22287 On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes.3.6.2-3.7.13, 4.0.0-4.2.1
CM-22228 On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.13, 4.0.0-4.2.1
CM-22041 At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart.
3.4.3-3.7.13, 4.0.0-4.2.1
CM-22020 On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
3.7.0-3.7.13, 4.0.0-4.2.1
CM-21785 The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF.3.6.2-3.7.13, 4.0.0-4.2.1
CM-21678 On a Dell switch with a Maverick ASIC, NetQ might receive false alerts like the following via PagerDuty:
  cumulus@switch:~$ netq show sensors temp changes | grep absent | grep -v psu  P2Leaf01 temp9 networking asic die temp sensor absent 43 105 100 5 Unable to find driver path: /cumulu Add 7d:22h:1m:41s  P2Leaf01 temp6 networking asic die temp sensor absent 45 105 100 5 Unable to find driver path: /cumulu Add 7d:22h:1m:41s  P2Leaf01 temp6 networking asic die temp sensor absent 47 105 100 5 Unable to read temp4_highest Add 9d:23h:26m:6s  P2Leaf01 temp6 networking asic die temp sensor absent 45 105 100 5 Unable to read temp4_highest Add 14d:22h:46m:45s  

This message might occur as a result of a timeout at the hardware level, or the switch might be reporting a failure to get a response.
3.5.3-3.7.13, 4.0.0-4.2.1
CM-21667 FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group.
3.6.1-3.7.13, 4.0.0-4.2.1
CM-21278 The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment.
3.5.3-3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-21055 On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets.3.6.0-3.7.13, 4.0.0-4.2.1
CM-20813 Span rules matching the out-interface as a bond do not mirror packets.3.6.0-3.7.13, 4.0.0-4.2.1
CM-20508 The Cumulus-Resource-Query-MIB defines the ability to gather buffer utilization status but when these objects are polled, they return nothing.3.5.3-3.7.13, 4.0.0-4.2.1
CM-20033 The VLAN interface stays up even though the physical link carrying the VLAN is admin or carrier down.3.5.2-3.7.13, 4.0.0-4.2.1
CM-19724 PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.3.5.2-3.7.13, 4.0.0-4.2.1
CM-19454 When you use NCLU to bring a bond admin down (net add bond <bond> link down), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.
To work around this issue, use the sudo ifdown <bondname> command.
3.5.0-3.7.13, 4.0.0-4.2.1
CM-17934 FRR tracks interface speed based on the value it learns from the Linux kernel for that interface. If the interface speed changes, FRR does not update its interface speed cache. This can lead to issues for routing protocols that derive metrics from interface speed as the cost can become out of sync with the interface speed.
To work around this issue, manually define the routing protocol metric for these interfaces or restart FRR.
3.7.6-3.7.13, 4.0.0-4.2.1
CM-17494 In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.
To work around this issue, change the value of arp_ignore to 2. See Address Resolution Protocol in the Cumulus Linux user guide for more information.
3.3.2-3.7.13, 4.0.0-4.2.1
CM-16571 NCLU cannot manage rsyslog to addresses routed via a VRF. In Cumulus Linux 4.0.0 and later, management VRF is enabled by default. To work around this issue, update the /etc/network/interfaces file to disable management VRF.3.4.3-3.7.13, 4.0.0-4.2.1
CM-15812 Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.3.2.1-3.7.13, 4.0.0-4.2.1

Fixed issues in 4.2.1

Issue IDDescriptionAffects
CM-31374CVE-2020-15166: ZeroMQ, a lightweight messaging kernel library
does not properly handle connecting peers before a handshake is
completed. A remote, unauthenticated client connecting to an application
using the libzmq library, running with a socket listening with CURVE
encryption/authentication enabled can take advantage of this flaw to
cause a denial of service affecting authenticated and encrypted clients.
Vulnerable: <= 4.3.1-4+deb10u1
Fixed: 4.3.1-4+deb10u2
4.0.0-4.2.0
CM-31373The following vulnerabilities have been announced in the qemu packages, which are available for optional installation:
CVE-2020-12829: An integer overflow in the sm501 display device may result in denial of service.
CVE-2020-14364: An out-of-bounds write in the USB emulation code may result in guest-to-host code execution.
CVE-2020-15863: A buffer overflow in the XGMAC network device may result in denial of service or the execution of arbitrary code.
CVE-2020-16092: A triggerable assert in the e1000e and vmxnet3 devices may result in denial of service.
Vulnerable: <= 3.1+dfsg-8+deb10u7
Fixed: 3.1+dfsg-8+deb10u8
4.0.0-4.2.0
CM-31356On the Mellanox switch with the Spectrum-3 ASIC, Cumulus Linux supports certain port speeds in NRZ mode and certain port speeds in PAM4 mode. Make sure to use the optics accordingly.
  • Port speeds 50G, 2x50G, 100G work in NRZ mode.
  • Port speeds 4x50G, 8x50G, 2x100G, 4x100G, 200G, 2x200G, 400G work in PAM4 mode.
CM-31225The following vulnerabilities have been announced in the BIND9 server, which is available for optional installation:
CVE-2020-8619: an asterisk character in an empty non-terminal can cause an assertion failure, resulting in denial of service.
CVE-2020-8622: a truncated TSIG response can lead to an assertion failure, resulting in denial of service.
CVE-2020-8623: a flaw in the native PKCS#11 code can lead to a remotely triggerable assertion failure, resulting in denial of service.
CVE-2020-8624: update-policy rules of type “subdomain” are enforced incorrectly, allowing updates to all parts of the zone along with the intended subdomain.
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u1
Fixed: 9.11.5.P4+dfsg-5.1+deb10u2
4.0.0-4.2.0
CM-31224FDB entries with type static are installed in hardware as dynamic entries with no aging instead of truly static, which might result in the entries being occasionally flushed from hardware and the kernel. For example, this might happen when a port is in the STP Blocking state during a MAC sync.4.2.0
CM-31192CVE-2020-11724: An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.
Vulnerable: <= 1.14.2-2+deb10u2
Fixed: 1.14.2-2+deb10u3
4.0.0-4.2.0
CM-31174The following vulnerabilities have been announced in the ghostscript libgs9 package, which is available for optional installation. These can allow an attacker to elevate privileges or cause a denial of service with crafted PS/EPS/PDF files.
CVE-2020-16287 CVE-2020-16288 CVE-2020-16289 CVE-2020-16290 CVE-2020-16291 CVE-2020-16292 CVE-2020-16293 CVE-2020-16294 CVE-2020-16295 CVE-2020-16296 CVE-2020-16297 CVE-2020-16298 CVE-2020-16299 CVE-2020-16300 CVE-2020-16301 CVE-2020-16302 CVE-2020-16303 CVE-2020-16304 CVE-2020-16305 CVE-2020-16306 CVE-2020-16307 CVE-2020-16308 CVE-2020-16309 CVE-2020-16310 CVE-2020-17538
Vulnerable: <= 9.27~dfsg-2+deb10u3
Fixed: 9.27~dfsg-2+deb10u4
4.0.0-4.2.0
CM-31086When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond.
3.7.10-4.2.0
CM-31057The following vulnerability has been announced:
CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.
3.0.0-4.2.0
CM-31055The following vulnerability has been announced:
CVE-2019-20892: net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request.
Fixed: 5.8.0-cl4.2.1u1, 5.8.0-cl3.7.14u1
3.0.0-4.2.0
CM-31038The following vulnerability has been announced:
CVE-2019-20795: iproute2 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c.
Vulnerable: <= 4.19.0-cl4u3
4.0.0-4.2.0
CM-31026If you edit a Cumulus Linux install image directly and provide a ZTP script within the “CL_INSTALLER_ZTP_CONTENT” variable, the ZTP shell script fails to run.4.2.0
CM-31016Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress <mac-address> to the bridge stanza in the /etc/network/interfaces file.
3.0.0-4.2.0
CM-30957The following vulnerability has been announced in the json-c / libjson_c3 packages:
CVE-2020-12762: json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.
Vulnerable: 0.12.1+ds-2
Fixed: 0.12.1+ds-2+deb10u1
4.0.0-4.2.0
CM-30872Several vulnerabilities have been discovered in the GRUB2 bootloader.
CVE-2020-10713: A flaw in the grub.cfg parsing code was found allowing to break UEFI Secure Boot and load arbitrary code. Details can be found at https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
CVE-2020-14308: It was discovered that grub_malloc does not validate the allocation size allowing for arithmetic overflow and subsequently a heap-based buffer overflow.
CVE-2020-14309: An integer overflow in grub_squash_read_symlink may lead to a heap-based buffer overflow.
CVE-2020-14310: An integer overflow in read_section_from_string may lead to a heap-based buffer overflow.
CVE-2020-14311: An integer overflow in grub_ext2_read_link may lead to a heap-based buffer overflow.
CVE-2020-15706: script: Avoid a use-after-free when redefining a function during execution.
CVE-2020-15707: An integer overflow flaw was found in the initrd size handling.
Vulnerable: <= 2.02+dfsg1-20, <= 2.02+dfsg1-cl4u1
Fixed: 2.02+dfsg1-20+deb10u2, 2.02+dfsg1-cl4.2.1u1
4.0.0-4.2.0
CM-30856The following vulnerability has been announced in NGINX, which is installed by default on Cumulus Linux (however, the default NGINX configuration is not vulnerable, as it does not configure error_page redirection):
CVE-2019-20372: NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
To work around this issue, do not use error_page redirection in the vulnerable configuration. https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf describes the vulnerability and the vulnerable configuration.
Fixed: 1.14.2-2+deb10u2
4.0.0-4.2.0
CM-30827If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer’s SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes.
3.7.12-4.2.0
CM-30826The following vulnerability has been announced in QEMU:
CVE-2020-8608: In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.
Vulnerable: <= 3.1+dfsg-8+deb10u6
Fixed: 3.1+dfsg-8+deb10u7
4.0.0-4.2.0
CM-30580ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down.3.7.12-4.2.0
CM-30565Several denial of service vulnerabilities have been announced in the qemu packages:
CVE-2020-10756 CVE-2020-13361 CVE-2020-13362 CVE-2020-13754 CVE-2020-13659
Vulnerable: <= 1:3.1+dfsg-8+deb10u5
Fixed: 1:3.1+dfsg-8+deb10u6
4.0.0-4.2.0
CM-30561On Mellanox switches, when you change the breakout configuration from 4x to 2x or from 2x to 4x, LLDP discovery fails.
To resolve this issue, restart the LLDP service.
4.2.0
CM-30554If you create a route map with the set large-comm-list command and the large community list referenced does not exist, bgpd might crash. You will also see an entry in the /var/log/frr/frr.log file.4.2.0
CM-30546The following vulnerabilities have been announced in the nss packages, including libnss3, which may be used by other programs:
CVE-2019-17006: Check length of inputs for cryptographic primitives
CVE-2019-17023: After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored.
CVE-2020-12399: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys.
CVE-2020-12402: During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.
Vulnerable: <= 3.42.1-1+deb10u2
Fixed: 3.42.1-1+deb10u3
4.0.0-4.2.0
CM-30504When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor.3.7.12-4.2.0
CM-30503In OVSDB high availability mode, if you create, then delete a binding, the FDB entry is not replaced and you see an error.3.7.12-4.2.0
CM-30498There is a change to the default OVSDB bootstrapping process, where the script created now defaults to VLAN-aware bridge mode. If you want to use traditional bride mode, you need to force it by editing the ovs-vtep-ctl script generated by the bootstrap process.3.7.12-4.2.0
CM-30486A host migrated to an 802.1X MAB port within the same broadcast domain fails to have the correct FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain.
To work around this issue, manually delete the dynamic FDB entry that is associated with the uplink trunk port.
3.7.12-4.2.0
CM-30484Multiple vulnerabilities have been discovered in the Xen hypervisor, which might result in denial of service, guest-to-host privilege escalation, or information leaks.
The CVE IDs are CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743, CVE-2020-15563, CVE-2020-15564, CVE-2020-15565, CVE-2020-15566, CVE-2020-15567.
Xen packages are not installed by default on Cumulus Linux, but some libxen* packages are in the repository for optional installation.
Vulnerable: < 4.11.3+24-g14b62ab3e5-1~deb10u1
Fixed: 4.11.4+24-gddaaccbbab-1~deb10u1
4.0.0-4.2.0
CM-30479When you restart clagd, the edge port setting on the peer link changes.3.7.2-4.2.0
CM-30472On the QuantaMesh T1048-LY4 switch, pluggables inserted into SFP+ ports are not detected.
To workaround this issue, downgrade to Cumulus Linux 3.7 ESR.
4.0.0-4.2.0
CM-30464The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port.3.7.12-4.2.0
CM-30394After adding an interface to a VRF, the routing information field (RIF) is missing.4.2.0
CM-30287Non SFF-8634/SFF-8636 compliant 40G AOC modules might not link up when inserted into the Mellanox SN3700 switch. The EEPROM bytes for RX amplitude control (page 03h, bytes #236-239) are defined as volatile in the SFF specification (SFF-8634/8636); after the module power is off, the EEPROM values should return to their defaults. However, these bytes are observed to be non-volatile in the modules listed below.
  • Mellanox MFP4R12CB-0XX (Luxtera)
  • AVAGO AFBR-79Q4PACXXZ
https://www.finisar.com/sites/default/files/downloads/fcbg410qb1cxx_quadwire_40gbs_parallel_active_optical_cable_product_spec_revb7.pdf
https://www.mouser.com/ProductDetail/Finisar/FCBN410QB1C03?qs=D%252B6gCNt%2Fg2BZq7qPdKrYVA%3D%3D
Because the modules listed above do not return to their default values correctly when they are unplugged and re-inserted, a cable might become unusable until it is reprogramed.
4.1.1-4.2.0
CM-30240switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart.
3.7.11-3.7.12, 4.0.0-4.2.0
CM-30178NCLU tab completion for net show displays the text add help text instead of system Information for the system option.3.7.11-4.2.0
CM-30141In an MLAG configuration with static VXLAN, static tunnels become unreachable.4.1.1-4.2.0
CM-29982A VRRP role change over the EVPN network causes excessive BGP updates and connectivity issues to VIP for about one minute.4.1.1-4.2.0
CM-29823On Mellanox switches, when EVPN multihoming is configured, MAC moves are not detected.4.2.0
CM-29525The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = <span class="error">&#91;all_packet_pg&#93;</span> and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:
asic-monitor[7389]: asic-monitor-module INFO: 2020-05-01 18:28:12.548734: Egress queue(s) greater than 500 bytes in monitor port group histogram_pg
asic-monitor[7389]: asic-monitor ERROR: ASIC monitor exception: sx_api_port_counter_tc_get failed: Parameter Error
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 139, in
asic-monitor[7389]: main(sys.argv[1:])
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 126, in main
asic-monitor[7389]: traceback.print_stack()
asic-monitor[7389]: Traceback (most recent call last):
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 117, in main
asic-monitor[7389]: monitor.run()
asic-monitor[7389]: File “/usr/lib/python2.7/dist-packages/cumulus/asic_monitor.py”, line 158, in run


3.7.11-4.2.0
CM-29000The net show config and net show time ntp server commands do not show NTP server configuration.4.1.0-4.2.0
CM-27999On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings.3.7.10-3.7.12, 4.0.0-4.2.0

4.2.0 Release Notes

Open issues in 4.2.0

Issue IDDescriptionAffectsFixed
CM-31545 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.
3.7.10-3.7.13, 4.1.1-4.2.1
CM-31469 When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number.
To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI.
4.2.0-4.2.1
CM-31418 The default NTP configuration is to use eth0 as the NTP source interfaces. In Cumulus Linux releases where eth0 is in the mgmt VRF by default, the ntp service automatically runs in the management VRF.
It is not recommended to run NTP with a source interface other than eth0 as this can be a security vulnerability.
Changing the NTP source interface name with NCLU to a non-management VRF interface
might result in NTP not functioning since the ntp service is still running in the mgmt VRF.
4.2.0-4.2.1
CM-31407 You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters.3.7.12-3.7.13, 4.2.0-4.2.1
CM-31374 CVE-2020-15166: ZeroMQ, a lightweight messaging kernel library
does not properly handle connecting peers before a handshake is
completed. A remote, unauthenticated client connecting to an application
using the libzmq library, running with a socket listening with CURVE
encryption/authentication enabled can take advantage of this flaw to
cause a denial of service affecting authenticated and encrypted clients.
Vulnerable: <= 4.3.1-4+deb10u1
Fixed: 4.3.1-4+deb10u2
4.0.0-4.2.04.2.1
CM-31373 The following vulnerabilities have been announced in the qemu packages, which are available for optional installation:
CVE-2020-12829: An integer overflow in the sm501 display device may result in denial of service.
CVE-2020-14364: An out-of-bounds write in the USB emulation code may result in guest-to-host code execution.
CVE-2020-15863: A buffer overflow in the XGMAC network device may result in denial of service or the execution of arbitrary code.
CVE-2020-16092: A triggerable assert in the e1000e and vmxnet3 devices may result in denial of service.
Vulnerable: <= 3.1+dfsg-8+deb10u7
Fixed: 3.1+dfsg-8+deb10u8
4.0.0-4.2.04.2.1
CM-31358 The Dell 100G-LR4 (Innolight) transceiver cannot be up due to a power budge exceeded error on the Mellanox SN4600C switch.4.2.0-4.2.1
CM-31327 After you manually edit the /etc/resolv.conf file to change or remove a VRF for a given DNS server, ifreload does not remove IP rules created for DNS servers in the VRF.
To work around this issue, run the net add/del dns nameserver <span class="error">&#91;vrf <name>&#93;</span> command to force the DNS configuration.
3.7.13, 4.1.1-4.2.1
CM-31300 If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail.3.7.10-3.7.13, 4.2.0-4.2.1
CM-31263 RX_DRP on a bond interface increases without any data traffic while the slave port does not increase.3.7.12-3.7.13, 4.2.0-4.2.1
CM-31225 The following vulnerabilities have been announced in the BIND9 server, which is available for optional installation:
CVE-2020-8619: an asterisk character in an empty non-terminal can cause an assertion failure, resulting in denial of service.
CVE-2020-8622: a truncated TSIG response can lead to an assertion failure, resulting in denial of service.
CVE-2020-8623: a flaw in the native PKCS#11 code can lead to a remotely triggerable assertion failure, resulting in denial of service.
CVE-2020-8624: update-policy rules of type “subdomain” are enforced incorrectly, allowing updates to all parts of the zone along with the intended subdomain.
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u1
Fixed: 9.11.5.P4+dfsg-5.1+deb10u2
4.0.0-4.2.04.2.1
CM-31224 FDB entries with type static are installed in hardware as dynamic entries with no aging instead of truly static, which might result in the entries being occasionally flushed from hardware and the kernel. For example, this might happen when a port is in the STP Blocking state during a MAC sync.4.2.04.2.1
CM-31192 CVE-2020-11724: An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.
Vulnerable: <= 1.14.2-2+deb10u2
Fixed: 1.14.2-2+deb10u3
4.0.0-4.2.04.2.1
CM-31174 The following vulnerabilities have been announced in the ghostscript libgs9 package, which is available for optional installation. These can allow an attacker to elevate privileges or cause a denial of service with crafted PS/EPS/PDF files.
CVE-2020-16287 CVE-2020-16288 CVE-2020-16289 CVE-2020-16290 CVE-2020-16291 CVE-2020-16292 CVE-2020-16293 CVE-2020-16294 CVE-2020-16295 CVE-2020-16296 CVE-2020-16297 CVE-2020-16298 CVE-2020-16299 CVE-2020-16300 CVE-2020-16301 CVE-2020-16302 CVE-2020-16303 CVE-2020-16304 CVE-2020-16305 CVE-2020-16306 CVE-2020-16307 CVE-2020-16308 CVE-2020-16309 CVE-2020-16310 CVE-2020-17538
Vulnerable: <= 9.27~dfsg-2+deb10u3
Fixed: 9.27~dfsg-2+deb10u4
4.0.0-4.2.04.2.1
CM-31150 On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-31120 In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface.3.7.10-3.7.13, 4.0.0-4.2.1
CM-31111 On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port.
4.2.0-4.2.1
CM-31107 When you boot Cumulus VX 4.2 for the first time, ZTP does not execute because it thinks that the /etc/shadow file has been modified. This is due to the default password change implemented in CL 4.2.
To work around this issue, boot the switch, manually change the password, then run sudo ztp -R to reset the ZTP script.
4.2.0-4.2.1
CM-31086 When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond.
3.7.10-4.2.04.2.1
CM-31073 When you set the sysctl settings net.ipv6.conf.all.accept_ra_defrtr (to prevent acceptance of IPv6 default route advertisements) and net.ipv6.conf.default.accept_ra_defrtr (set for newly created interfaces), if you create a new virtual interface, any pre-existing interface does not start accepting IPv6 default route avertisements again.
To work around this issue, when you create a new virtual interface, set net.ipv6.conf.<interface>.accept_ra_defrtr to 0 for all interfaces and run sysctl -p --system.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-31057 The following vulnerability has been announced:
CVE-2019-11360: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.
3.0.0-4.2.04.2.1
CM-31056 After configuring multiple dhcrelay6 instances, then restarting the dhcrelay6 relay service, replies are sent on the incorrect VLAN.
This problem does not occur if you only have one instance of dhcrelay6.Restart on both instances.
4.1.1-4.2.1
CM-31055 The following vulnerability has been announced:
CVE-2019-20892: net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request.
Fixed: 5.8.0-cl4.2.1u1, 5.8.0-cl3.7.14u1
3.0.0-4.2.04.2.1
CM-31038 The following vulnerability has been announced:
CVE-2019-20795: iproute2 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c.
Vulnerable: <= 4.19.0-cl4u3
4.0.0-4.2.04.2.1
CM-31028 Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated.3.7.7-3.7.13, 4.0.0-4.2.1
CM-31026 If you edit a Cumulus Linux install image directly and provide a ZTP script within the “CL_INSTALLER_ZTP_CONTENT” variable, the ZTP shell script fails to run.4.2.04.2.1
CM-31016 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress <mac-address> to the bridge stanza in the /etc/network/interfaces file.
3.0.0-4.2.04.2.1
CM-30987 On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.
To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file.
4.2.0-4.2.1
CM-30957 The following vulnerability has been announced in the json-c / libjson_c3 packages:
CVE-2020-12762: json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.
Vulnerable: 0.12.1+ds-2
Fixed: 0.12.1+ds-2+deb10u1
4.0.0-4.2.04.2.1
CM-30879 NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.3.7.12-3.7.13, 4.0.0-4.2.1
CM-30872 Several vulnerabilities have been discovered in the GRUB2 bootloader.
CVE-2020-10713: A flaw in the grub.cfg parsing code was found allowing to break UEFI Secure Boot and load arbitrary code. Details can be found at https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
CVE-2020-14308: It was discovered that grub_malloc does not validate the allocation size allowing for arithmetic overflow and subsequently a heap-based buffer overflow.
CVE-2020-14309: An integer overflow in grub_squash_read_symlink may lead to a heap-based buffer overflow.
CVE-2020-14310: An integer overflow in read_section_from_string may lead to a heap-based buffer overflow.
CVE-2020-14311: An integer overflow in grub_ext2_read_link may lead to a heap-based buffer overflow.
CVE-2020-15706: script: Avoid a use-after-free when redefining a function during execution.
CVE-2020-15707: An integer overflow flaw was found in the initrd size handling.
Vulnerable: <= 2.02+dfsg1-20, <= 2.02+dfsg1-cl4u1
Fixed: 2.02+dfsg1-20+deb10u2, 2.02+dfsg1-cl4.2.1u1
4.0.0-4.2.04.2.1
CM-30863 OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.
-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.
Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.
If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.
To disable scp completely, use /bin/chmod 0 /usr/bin/scp .
3.0.0-3.7.13, 4.0.0-4.2.1
CM-30856 The following vulnerability has been announced in NGINX, which is installed by default on Cumulus Linux (however, the default NGINX configuration is not vulnerable, as it does not configure error_page redirection):
CVE-2019-20372: NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
To work around this issue, do not use error_page redirection in the vulnerable configuration. https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf describes the vulnerability and the vulnerable configuration.
Fixed: 1.14.2-2+deb10u2
4.0.0-4.2.04.2.1
CM-30832 The Mellanox SN2700 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages.4.1.1-4.2.1
CM-30827 If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer’s SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes.
3.7.12-4.2.04.2.1
CM-30826 The following vulnerability has been announced in QEMU:
CVE-2020-8608: In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.
Vulnerable: <= 3.1+dfsg-8+deb10u6
Fixed: 3.1+dfsg-8+deb10u7
4.0.0-4.2.04.2.1
CM-30580 ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down.3.7.12-4.2.04.2.1
CM-30565 Several denial of service vulnerabilities have been announced in the qemu packages:
CVE-2020-10756 CVE-2020-13361 CVE-2020-13362 CVE-2020-13754 CVE-2020-13659
Vulnerable: <= 1:3.1+dfsg-8+deb10u5
Fixed: 1:3.1+dfsg-8+deb10u6
4.0.0-4.2.04.2.1
CM-30561 On Mellanox switches, when you change the breakout configuration from 4x to 2x or from 2x to 4x, LLDP discovery fails.
To resolve this issue, restart the LLDP service.
4.2.04.2.1
CM-30555 If you have an existing community list of any type, redefining the same sequence number results in the entire community list being deleted.
To work around this issue, delete the community list sequence before trying to adjust it.
4.2.0-4.2.1
CM-30554 If you create a route map with the set large-comm-list command and the large community list referenced does not exist, bgpd might crash. You will also see an entry in the /var/log/frr/frr.log file.4.2.04.2.1
CM-30546 The following vulnerabilities have been announced in the nss packages, including libnss3, which may be used by other programs:
CVE-2019-17006: Check length of inputs for cryptographic primitives
CVE-2019-17023: After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored.
CVE-2020-12399: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys.
CVE-2020-12402: During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.
Vulnerable: <= 3.42.1-1+deb10u2
Fixed: 3.42.1-1+deb10u3
4.0.0-4.2.04.2.1
CM-30514 In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings.3.7.12-3.7.13, 4.0.0-4.2.1
CM-30504 When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor.3.7.12-4.2.04.2.1
CM-30503 In OVSDB high availability mode, if you create, then delete a binding, the FDB entry is not replaced and you see an error.3.7.12-4.2.04.2.1
CM-30498 There is a change to the default OVSDB bootstrapping process, where the script created now defaults to VLAN-aware bridge mode. If you want to use traditional bride mode, you need to force it by editing the ovs-vtep-ctl script generated by the bootstrap process.3.7.12-4.2.04.2.1
CM-30486 A host migrated to an 802.1X MAB port within the same broadcast domain fails to have the correct FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain.
To work around this issue, manually delete the dynamic FDB entry that is associated with the uplink trunk port.
3.7.12-4.2.04.2.1
CM-30484 Multiple vulnerabilities have been discovered in the Xen hypervisor, which might result in denial of service, guest-to-host privilege escalation, or information leaks.
The CVE IDs are CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743, CVE-2020-15563, CVE-2020-15564, CVE-2020-15565, CVE-2020-15566, CVE-2020-15567.
Xen packages are not installed by default on Cumulus Linux, but some libxen* packages are in the repository for optional installation.
Vulnerable: < 4.11.3+24-g14b62ab3e5-1~deb10u1
Fixed: 4.11.4+24-gddaaccbbab-1~deb10u1
4.0.0-4.2.04.2.1
CM-30479 When you restart clagd, the edge port setting on the peer link changes.3.7.2-4.2.04.2.1
CM-30473 If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:
warning: : interface not recognized - please check interface configuration

4.1.0-4.2.1
CM-30472 On the QuantaMesh T1048-LY4 switch, pluggables inserted into SFP+ ports are not detected.
To workaround this issue, downgrade to Cumulus Linux 3.7 ESR.
4.0.0-4.2.04.2.1
CM-30464 The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port.3.7.12-4.2.04.2.1
CM-30422 When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error.3.7.12-3.7.13, 4.0.0-4.2.1
CM-30414 If you toggle VRRP priority values between VRRP routers, then run a switchd restart, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected.
To work around this issue, remove, then add the VRRP configuration with NCLU commands or vtysh in FRR.
3.7.13, 4.2.0-4.2.1
CM-30394 After adding an interface to a VRF, the routing information field (RIF) is missing.4.2.04.2.1
CM-30361 On Mellanox switches with the Spectrum-2 switch, the lpm-balanced forwarding profile does not work.4.1.1-4.2.1
CM-30358 The Mellanox Spectrum-3 switch takes approximately fifteen seconds for ports to move from an admin up state to an operational up state. Also, restarting switchd takes more than 120 seconds.4.2.0-4.2.1
CM-30312 When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands.4.0.0-4.2.1
CM-30296 The net show configuration command provides the wrong net add command for ACL under the VLAN interface.3.7.12-3.7.13, 4.1.0-4.2.1
CM-30287 Non SFF-8634/SFF-8636 compliant 40G AOC modules might not link up when inserted into the Mellanox SN3700 switch. The EEPROM bytes for RX amplitude control (page 03h, bytes #236-239) are defined as volatile in the SFF specification (SFF-8634/8636); after the module power is off, the EEPROM values should return to their defaults. However, these bytes are observed to be non-volatile in the modules listed below.
  • Mellanox MFP4R12CB-0XX (Luxtera)
  • AVAGO AFBR-79Q4PACXXZ
https://www.finisar.com/sites/default/files/downloads/fcbg410qb1cxx_quadwire_40gbs_parallel_active_optical_cable_product_spec_revb7.pdf
https://www.mouser.com/ProductDetail/Finisar/FCBN410QB1C03?qs=D%252B6gCNt%2Fg2BZq7qPdKrYVA%3D%3D
Because the modules listed above do not return to their default values correctly when they are unplugged and re-inserted, a cable might become unusable until it is reprogramed.
4.1.1-4.2.04.2.1
CM-30280 On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux.4.1.0-4.2.1
CM-30247 dot1qVlanIndex in the dot1qVlanStaticTable of the SNMP Q-BRIDGE-MIB does not use VLAN ID and does not comply with RFC 4363.4.1.1-4.2.1
CM-30240 switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart.
3.7.11-3.7.12, 4.0.0-4.2.03.7.13, 4.2.1
CM-30231 When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static | dynamic ]

If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:
bridge fdb replace 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master static
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static | dynamic ]

4.0.0-4.2.1
CM-30230 If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address.
4.0.0-4.2.1
CM-30224 The show evpn mac vni <vni> mac <mac-address> command stops displaying “Sticky MAC” if that MAC address is seen on a local bridge port. The following example shows the command output before the MAC address is seen on a local bridge:
cumulus@switch:~$ net show evpn mac vni 24 mac 50:6b:4b:aa:aa:aa                                
MAC: 50:6b:4b:aa:aa:aa
Remote VTEP: 10.0.0.41 Sticky Mac
Local Seq: 0 Remote Seq: 0
Neighbors:
No Neighbors

The following example shows the command output after the MAC address is seen on a local bridge::
cumulus@switch:~$ net show evpn mac vni 24 mac 50:6b:4b:aa:aa:aa                                
MAC: 50:6b:4b:aa:aa:aa
Remote VTEP: 10.0.0.41
Local Seq: 1 Remote Seq: 0
Neighbors:
10.2.4.14 Inactive

4.0.0-4.2.1
CM-30195 On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.13, 4.1.1-4.2.1
CM-30194 After you enable ROCE with the net add interface <switch-port> storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output.4.1.1-4.2.1
CM-30182 The net show time ntp servers command does not show any output with management VRF.4.1.1-4.2.1
CM-30178 NCLU tab completion for net show displays the text add help text instead of system Information for the system option.3.7.11-4.2.04.2.1
CM-30165 When you use a phone with EAP and voice VLAN is configured (and MAB is not configured), after the phone authenticates, all tagged traffic from the phone is dropped.
To work around this issue, enable MAB on the interface.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-30164 The /usr/share/zoneinfo/leap-seconds.list file expires periodically and results in log messages being generated about that expiration.
To work around this issue, you must update the file from https://www.ietf.org/timezones/data/leap-seconds.list or upgrade the tzdata package to the newest version.
4.0.0-4.2.1
CM-30159 After you delete a bond, the deleted bond members have the deleted bond MAC address instead of their original MAC address, which might result in traffic being discarded.
To work around this issue, perform a full switch restart.
4.1.1-4.2.1
CM-30141 In an MLAG configuration with static VXLAN, static tunnels become unreachable.4.1.1-4.2.04.2.1
CM-30103 On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-30101 The NCLU net show bridge spanning-tree command displays the aging timer incorrectly.3.7.12-3.7.13, 4.0.0-4.2.1
CM-30089 Cumulus Linux supports a maximum of 300 ACLs for use with 802.1X interfaces. This limit encompasses the default ACLs, pre-auth ACLs and dynamic ACLs. Exceeding this limit can affect the performance of the switch.4.1.0-4.2.1
CM-30052 Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.
To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration.
4.1.1-4.2.1
CM-29982 A VRRP role change over the EVPN network causes excessive BGP updates and connectivity issues to VIP for about one minute.4.1.1-4.2.04.2.1
CM-29978 The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged.3.7.8-3.7.13, 4.0.0-4.2.1
CM-29890 Multiple paths to identical EVPN prefixes are either not displayed or not accepted into the l2vpn evpn table if they are received from a different AS.3.7.12-3.7.13, 4.1.1-4.2.1
CM-29872 Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29871 The net show rollback description <string> command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29823 On Mellanox switches, when EVPN multihoming is configured, MAC moves are not detected.4.2.04.2.1
CM-29809 You might see a three second traffic outage after an MLAG secondary reboot when the MLAG bonds become dual-connected again.4.1.1-4.2.1
CM-29779 In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.
All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29759 When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:
#Requires=nginx.service restserver.socket

3.7.12-3.7.13, 4.0.0-4.2.1
CM-29652 The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
error: invalid signature.
Press any key to continue…

3.7.12-3.7.13, 4.1.1-4.2.1
CM-29603 When you move an interface from one VRF to another and modify the description in the same configuration operation, FRR crashes and restarts during a service reload. If these two changes occur in separate reloads, FRR does not crash.4.1.1-4.2.1
CM-29594 When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with ‘Network is down’ (100)
warning: cmd ‘/bin/ip addr del 10.0.0.1/24 dev eth0’ failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29562 If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error.3.7.12-3.7.13, 4.1.1-4.2.1
CM-29546 In vtysh, if you configure, then remove a layer 3 VNI for a VRF, the VNI is removed from zebra even if the VNI interface still exists in the kernel.
If you configure a layer 2 VNI as a layer 3 VNI by mistake, removing the layer 3 VNI binding removes it from zebra but EVPN-learned MACs and neighbors are not installed into the kernel.
To work around this issue, delete, then re-add the missing VNI. For example:
cumulus@switch:~$ sudo ifdown vni10100
cumulus@switch:~$ sudo ifup vni10100

If you flap the link with the ip link set vni10100 down; ip link set vni10100 up commands, zebra does not re-add the VNI.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29525 The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = <span class="error">&#91;all_packet_pg&#93;</span> and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:
asic-monitor[7389]: asic-monitor-module INFO: 2020-05-01 18:28:12.548734: Egress queue(s) greater than 500 bytes in monitor port group histogram_pg
asic-monitor[7389]: asic-monitor ERROR: ASIC monitor exception: sx_api_port_counter_tc_get failed: Parameter Error
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 139, in
asic-monitor[7389]: main(sys.argv[1:])
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 126, in main
asic-monitor[7389]: traceback.print_stack()
asic-monitor[7389]: Traceback (most recent call last):
asic-monitor[7389]: File “/usr/bin/asic-monitor”, line 117, in main
asic-monitor[7389]: monitor.run()
asic-monitor[7389]: File “/usr/lib/python2.7/dist-packages/cumulus/asic_monitor.py”, line 158, in run


3.7.11-4.2.04.2.1
CM-29519 The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state.3.7.12-3.7.13, 4.0.0-4.2.1
CM-29492 When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
[ebtables]
-A FORWARD –in-interface swp10 -j span –dport swp1

3.7.12-3.7.13, 4.1.1-4.2.1
CM-29319 When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file.
To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command.
4.1.0-4.2.1
CM-29309 When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-3.7.13, 4.0.0-4.2.1
CM-29259 You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29148 On MLX switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware.3.7.11-3.7.13, 4.0.0-4.2.1
CM-29146 On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic.4.1.1-4.2.1
CM-29043 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29035 When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-29000 The net show config and net show time ntp server commands do not show NTP server configuration.4.1.0-4.2.04.2.1
CM-28940 If you configure aggregate-address <address> summary-only before a component of the same aggregate is injected into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:
Existing configuration:
router bgp 1
address-family ipv4 unicast
aggregate-address 50.0.0.0/8 summary-only
exit-address-family

If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 50.0.0.0 0.0.0.0 32768 i
s> 50.0.0.1/32 0.0.0.0 0 32768 i

Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
s> 50.0.0.1/32 0.0.0.0 0 32768 i

To work around this issue, remove, then re-add the component prefix routes.
3.7.12-3.7.13, 4.0.0-4.2.1
CM-28891 net show configuration commands does not show the RoCE net add interface <swp> storage-optimized pfc configuration.4.1.0-4.2.1
CM-28816 The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid.
3.0.0-3.7.13, 4.0.0-4.2.1
CM-28770 The net add routing route-map <name> permit <seq> set community <comm> command does not add the set statement into the /etc/frr/frr.conf file.4.0.0-4.2.1
CM-28754 On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.13, 4.0.0-4.2.1
CM-28613 In EVPN Active-Active (MLAG) environments, rebooting one member of an MLAG pair should result in the local MAC mobility sequence number reverting to 0. Sometimes a reboot of one MLAG peer results in the local MAC mobility sequence number being set to a non-zero value despite that no more mobility events occur. This issue is cosmetic only, as BGP does not advertise the incorrect sequence number and forwarding entries correctly point to the remote VTEP where the MAC is now located.3.7.12-3.7.13, 4.0.0-4.2.1
CM-28611 In an EVPN Active-Active (MLAG) environment, sometimes a local-to-remote MAC mobility event results in the local sequence number appearing higher than the remote sequence number in zebra. This issue is cosmetic only, as BGP does not advertise the incorrect sequence number and forwarding entries correctly point to the remote VTEP where the MAC is now located.3.7.12-3.7.13, 4.0.0-4.2.1
CM-28497 QinQ across VXLAN on a traditional bridge does not work.4.1.0-4.2.1
CM-28489 The following CVEs were announced for rsyslog:
CVE-2019-17041 CVE-2019-17042rsyslogd, when receiving remote log messages (not enabled by default on Cumulus Linux) with the pmaisforwardedfrom or pmcisconames optional log parsers (also not enabled by default on Cumulus Linux), is vulnerable to CVE-2019-17041 and CVE-2019-17042 where malicious messages that appear to be from AIX or Cisco respectively may be caused to skip sanity checks, resulting in incorrect negative lengths causing heap overflows.
Vulnerable: 8.1901.0-1Recommendation:Do not enable receiving syslog messages from other hosts by the network (with $UDPServerRun or $InputTCPServerRun). Also, do not enable (with $ModLoad) the vulnerable parsers pmaixforwardedfrom or pmcisconames. The default /etc/rsyslog.conf file on Cumulus Linux does not enable any of these.
4.0.0-4.2.1
CM-28458 NCLU incorrectly allows you to configure port security on bond/MLAG interfaces.
Port security is not supported on bond/MLAG interfaces.
4.0.0-4.2.1
CM-28393 On the Dell S5232F-ON switch, EVPN and dynamic VRF route leaking results in the CPU forwarding traffic to newly-learned type-2 routes.
To work around this issue, restart FRR.
3.7.9-3.7.13, 4.0.0-4.2.1
CM-28249 On the Mellanox switch, when you modify the buffer and queue configuration without restarting switchd, you might see a one second interruption in forwarding.4.0.0-4.2.1
CM-28226 When you restart the hsflowd service, you see a systemd warning message similar to the following:
Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run ‘systemctl daemon-reload’.

4.0.0-4.2.1
CM-28080 TACACS+ through ClearPass is not currently supported. Cumulus Linux sends authorization before authentication, but ClearPass does not accept an authorization before the user is authenticated.3.7.11-3.7.13, 4.0.0-4.2.1
CM-28003 The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f <file> command in the automation file before starting the FRR service to validate the functional configuration and return an error code.
3.7.11-3.7.13, 4.0.0-4.2.1
CM-27999 On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings.3.7.10-3.7.12, 4.0.0-4.2.03.7.13, 4.2.1
CM-27957 If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!

To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service.
To increase the systemd timeout:
  1. Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter.
  2. Restart the switchd service with the sudo systemctl restart switchd.service command.
    systemd will attempt to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command.
3.7.11-3.7.13, 4.0.0-4.2.1
CM-27950 On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch.4.0.0-4.2.1
CM-27642 The following CVEs were announced that affect the libssh package:
CVE-2019-14889 has been announced in the libssh library, where unsanitized user-provided scp command lines could allow an attacker to execute arbitrary commands on the server.
The libssh library is not installed on Cumulus Linux by default, but is available in the Cumulus Linux 4 repository for optional installation. Note that libssh is distinct from libssh2 and openssh, which are present on the switches and in the repositories.
See the following for more information:
https://www.libssh.org/security/advisories/CVE-2019-14889.txt
https://security-tracker.debian.org/tracker/CVE-2019-14889
4.0.0-4.2.1
CM-27444 If you use the NCLU commands to configure NTP and run the net add time ntp source <interface> command before you run the net add time ntp server <server> iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server <server> iburst command before you run the net add time ntp source <interface> command.
3.7.10-3.7.11, 4.0.0-4.2.13.7.12-3.7.13
CM-27243 The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages.3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-27143 On the Dell S5248F-ON switch, the CPU core temperature sensors show ABSENT.4.0.0-4.2.1
CM-27099 On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported.4.0.0-4.2.1
CM-27094 On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power.3.5.0-3.7.13, 4.0.0-4.2.1
CM-27018 If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address.3.7.10-3.7.13, 4.0.0-4.2.1
CM-26942 Port security is not currently supported on VX. The NCLU commands produce errors.4.0.0-4.2.1
CM-26921 If you delete an undefined bond, then add a bond slave, the net commit command fails.3.7.9-3.7.13, 4.0.0-4.2.1
CM-26913 FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
sudo sh -c “printf ‘interface 50\nvrf TEST description L3 routing interface\n’ » /etc/frr/frr.conf"

should be:
sudo sh -c “printf ‘interface 50 vrf TEST\ndescription L3 routing interface\n’ » /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file.
3.7.9-3.7.13, 4.0.0-4.2.1
CM-26907 NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge.4.0.0-4.2.1
CM-26905 When you update the hostname of a switch with the NCLU net add hostname <hostname> command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command.
3.7.10-3.7.13, 4.0.0-4.2.1
CM-26860 When you run the NCLU net show commit last or net show commit <number> command, where <number> is the last commit, no output is shown.4.0.0-4.2.1
CM-26769 Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link.3.7.6-3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-26599 Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G.
3.7.9-3.7.13, 4.0.0-4.2.1
CM-26595 The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.13, 4.0.0-4.2.1
CM-26516 Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.13, 4.0.0-4.2.1
CM-26423 NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.3.7.5-3.7.13, 4.0.0-4.2.1
CM-26412 Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file.
3.7.9-3.7.13, 4.0.0-4.2.1
CM-26308 An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2.
3.7.8-3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-26288 On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.13, 4.0.0-4.2.1
CM-26256 The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.3.7.8-3.7.13, 4.0.0-4.2.1
CM-26241 On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.3.7.6-3.7.11, 4.0.0-4.2.13.7.12-3.7.13
CM-26217 NCLU does not allow you to configure OSPF NSSAs. For example:
cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found.
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example:
switch# configure terminal 
switch(config)# router ospf
switch(config-router)# area 0.0.0.1 nssa

3.7.7-3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-26179 If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
ERROR: ‘ascii’ codec can’t encode character u’\xe9’ in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.

3.7.7-3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-26137 ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:
-A FORWARD -i vni10 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64

3.7.6-3.7.13, 4.0.0-4.2.1
CM-26136 In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.13, 4.0.0-4.2.1
CM-25986 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish.
4.0.0-4.2.1
CM-25890 In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).3.7.0-3.7.13, 4.0.0-4.2.1
CM-25859 The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command.
3.7.7-3.7.13, 4.0.0-4.2.1
CM-25815 When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.3.7.6-3.7.13, 4.0.0-4.2.1
CM-25740 On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad:
cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad 

3.7.6-3.7.13, 4.0.0-4.2.1
CM-25694 If a packet is policed by ebtables, it does not increment an ACL drop on the ingress interface. Instead, it increments the TDBGC3/6 drop counter to the CPU.3.7.6-3.7.13, 4.0.0-4.2.1
CM-25674 On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule.3.7.6-3.7.8, 4.0.0-4.2.13.7.9-3.7.13
CM-25400 If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.3.7.6-3.7.13, 4.0.0-4.2.1
CM-25397 When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.3.7.3-3.7.13, 4.0.0-4.2.1
CM-24894 The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded.3.7.5-3.7.13, 4.0.0-4.2.1
CM-24799 On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
3.7.5-3.7.13, 4.0.0-4.2.1
CM-24652 In an EVPN environment, the centralized MAC address is not installed on the MLAG pair because Cumulus Linux does not perform an SVI MAC check per VLAN.
This issue does not affect a pure distributed routing (symmetric or asymmetric) environment or a pure centralized routing environment.
3.7.0-3.7.13, 4.0.0-4.2.1
CM-24618 If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
  ERROR: No closing quotation  See /var/log/netd.log for more details.  

3.6.1-3.7.13, 4.0.0-4.2.1
CM-24473 SNMP incorrectly requires engine ID specification.3.7.4-3.7.13, 4.0.0-4.2.1
CM-24435 When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect:
  net add routing route-map Proxy-ARP permit 25 match interface swp9-10  

These commands are correct:
  net add routing route-map Proxy-ARP permit 25 match interface swp9  net add routing route-map Proxy-ARP permit 30 match interface swp10  

3.7.2-3.7.13, 4.0.0-4.2.1
CM-24426 NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf <name> command just displays . For example:
 
cumulus@switch:~$ net add vrf mgmt


Tab completion for the net add vrf <name> ip address <address> command works correctly.
3.7.4-3.7.13, 4.0.0-4.2.1
CM-24379 On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.13, 4.0.0-4.2.1
CM-24343 The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value.
3.7.4-3.7.13, 4.0.0-4.2.1
CM-24332 On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.3.7.3-3.7.13, 4.0.0-4.2.1
CM-24272 When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
  cumulus@switch:~$ sudo vtysh  switch# configure terminal  switch(config)# interface br0.100  switch(config-if)# vrrp 1 priority 110  switch(config-if)# vrrp 1 advertisement-interval  switch(config-if)# end  switch# write memory  switch# exit  cumulus@switch:~  

3.7.4-3.7.13, 4.0.0-4.2.1
CM-24271 On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
  cumulus@switch:~$ sudo vtysh  switch# configure terminal  switch(config)# interface vlan100  switch(config-if)# vrrp 1 priority 110  switch(config-if)# end  switch# write memory  switch# exit  cumulus@switch:~  

3.7.4-3.7.13, 4.0.0-4.2.1
CM-24270 Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU.
To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
  cumulus@switch:~$ sudo vtysh  switch# configure terminal  switch(config)# interface swp4  switch(config-if)# vrrp 1 version 2  switch(config-if)# no vrrp 1 preempt  switch(config-if)# end  switch# write memory  switch# exit  cumulus@switch:~  

3.7.4-3.7.13, 4.0.0-4.2.1
CM-24262 NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto <iface> lines exist.3.7.3-3.7.13, 4.0.0-4.2.1
CM-24241 When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
  cumulus@switch:~$ net del bgp neighbor fabric peer-group  ‘router bgp 65001’ configuration does not have ‘neighbor fabric peer-group’  

3.7.2-3.7.13, 4.0.0-4.2.1
CM-24222 When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.3.7.0-3.7.13, 4.0.0-4.2.1
CM-24035 On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.3.7.2-3.7.13, 4.0.0-4.2.1
CM-23825 The net add interface <interface> ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
3.7.2-3.7.13, 4.0.0-4.2.1
CM-23665 NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan <layer3-vni> bridge access <vlan>. This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge.
3.7.2-3.7.13, 4.0.0-4.2.1
CM-23661 On the Mellanox switch, when you configure a GRE tunnel, the traffic behind the local tunnel endpoint destined through the GRE tunnel is software-forwarded.3.7.2-3.7.13, 4.0.0-4.2.1
CM-23651 In an EVPN symmetric routing configuration, when an IP address is frozen, kernel neighbor table information and kernel VRF routing table information about the frozen IP address might be out-of-sync.3.7.3-3.7.13, 4.0.0-4.2.1
CM-23584 When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.3.7.2-3.7.13, 4.0.0-4.2.1
CM-23570 On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.
3.7.2-3.7.13, 4.0.0-4.2.1
CM-23418 For QSFP modules, the sudo ifdown command does not disable the Tx laser.3.7.2-3.7.13, 4.0.0-4.2.1
CM-23417 If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid.3.7.0-3.7.13, 4.0.0-4.2.1
CM-23311 In an EVPN centralized routing configuration, where the layer 2 network extends beyond VTEPs, (for example, a host with bridges), the gateway MAC address does not get refreshed in the network when ARP suppression is enabled on the gateway.
To work around this issue, disable ARP suppression on the centralized gateway.
4.0.0-4.2.1
CM-23075 There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
  2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51  2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51  

Eventually the dhcrelay service stops.
3.7.1-3.7.13, 4.0.0-4.2.1
CM-23021 When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.13, 4.0.0-4.2.1
CM-22554 If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.3.6.2-3.7.13, 4.0.0-4.2.1
CM-22386 The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.3.7.0-3.7.13, 4.0.0-4.2.1
CM-22301 For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
  A $INGRESS_CHAIN –in-interface $INGRESS_INTF -m addrtype –dst-type  IPROUTER -j POLICE –set-mode pkt –set-rate 400 –set-burst 100  

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
3.6.1-3.7.13, 4.0.0-4.2.1
CM-22287 On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes.3.6.2-3.7.13, 4.0.0-4.2.1
CM-22228 On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.13, 4.0.0-4.2.1
CM-22041 At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart.
3.4.3-3.7.13, 4.0.0-4.2.1
CM-22020 On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.
3.7.0-3.7.13, 4.0.0-4.2.1
CM-21785 The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF.3.6.2-3.7.13, 4.0.0-4.2.1
CM-21678 On a Dell switch with a Maverick ASIC, NetQ might receive false alerts like the following via PagerDuty:
  cumulus@switch:~$ netq show sensors temp changes | grep absent | grep -v psu  P2Leaf01 temp9 networking asic die temp sensor absent 43 105 100 5 Unable to find driver path: /cumulu Add 7d:22h:1m:41s  P2Leaf01 temp6 networking asic die temp sensor absent 45 105 100 5 Unable to find driver path: /cumulu Add 7d:22h:1m:41s  P2Leaf01 temp6 networking asic die temp sensor absent 47 105 100 5 Unable to read temp4_highest Add 9d:23h:26m:6s  P2Leaf01 temp6 networking asic die temp sensor absent 45 105 100 5 Unable to read temp4_highest Add 14d:22h:46m:45s  

This message might occur as a result of a timeout at the hardware level, or the switch might be reporting a failure to get a response.
3.5.3-3.7.13, 4.0.0-4.2.1
CM-21667 FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group.
3.6.1-3.7.13, 4.0.0-4.2.1
CM-21278 The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment.
3.5.3-3.7.10, 4.0.0-4.2.13.7.11-3.7.13
CM-21055 On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets.3.6.0-3.7.13, 4.0.0-4.2.1
CM-20813 Span rules matching the out-interface as a bond do not mirror packets.3.6.0-3.7.13, 4.0.0-4.2.1
CM-20508 The Cumulus-Resource-Query-MIB defines the ability to gather buffer utilization status but when these objects are polled, they return nothing.3.5.3-3.7.13, 4.0.0-4.2.1
CM-20033 The VLAN interface stays up even though the physical link carrying the VLAN is admin or carrier down.3.5.2-3.7.13, 4.0.0-4.2.1
CM-19724 PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.3.5.2-3.7.13, 4.0.0-4.2.1
CM-19454 When you use NCLU to bring a bond admin down (net add bond <bond> link down), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.
To work around this issue, use the sudo ifdown <bondname> command.
3.5.0-3.7.13, 4.0.0-4.2.1
CM-17934 FRR tracks interface speed based on the value it learns from the Linux kernel for that interface. If the interface speed changes, FRR does not update its interface speed cache. This can lead to issues for routing protocols that derive metrics from interface speed as the cost can become out of sync with the interface speed.
To work around this issue, manually define the routing protocol metric for these interfaces or restart FRR.
3.7.6-3.7.13, 4.0.0-4.2.1
CM-17494 In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.
To work around this issue, change the value of arp_ignore to 2. See Address Resolution Protocol in the Cumulus Linux user guide for more information.
3.3.2-3.7.13, 4.0.0-4.2.1
CM-16571 NCLU cannot manage rsyslog to addresses routed via a VRF. In Cumulus Linux 4.0.0 and later, management VRF is enabled by default. To work around this issue, update the /etc/network/interfaces file to disable management VRF.3.4.3-3.7.13, 4.0.0-4.2.1
CM-15812 Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.3.2.1-3.7.13, 4.0.0-4.2.1

Fixed issues in 4.2.0

Issue IDDescriptionAffects
CM-30525When a specific PIM join/prune packet is received from a PIM neighbor the pimd process might crash with a core file.4.0.0-4.1.1
CM-30447The following vulnerabilities have been announced in ruby2.5, which is not installed on the switch by default, but is available in the repository for optional installation:
CVE-2020-10663: The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
CVE-2020-10933: An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.
Vulnerable: <= 2.5.5-3+deb10u1
Fixed: 2.5.5-3+deb10u2
4.0.0-4.1.1
CM-30405Some Dell N3048EP switches ship with an incompatible ONIE version. To install Cumulus Linux on the switch, you must upgrade ONIE to version 4.39.1.0-9. To download this version of ONIE, contact Dell.
CM-30364Static routes in FRR with their next hop defined as a local IPv4 or IPv6 address are rejected with the following message:
% Warning!! Local connected address is configured as Gateway

To work around this issue, make sure to define static routes that are intended to point directly at a particular interface with the interface itself as the next hop instead of the address on that interface. For example:
switch(config)# ipv6 route 2001:bee:bee:3::/64 swp1/1

CM-30340When you try to retrieve the Q-BRIDGE-MIB::dot1qTpFdbTable (1.3.6.1.2.1.17.7.1.2.2), snmpd does not return any results.4.1.1
CM-30038The following vulnerability has been announced that affects GnuTLS:
CVE-2020-13777: GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.
Vulnerable: <= 3.6.7-4+deb10u3
Fixed: 3.6.7-4+deb10u4
4.0.0-4.1.1
CM-30000When VRF route leaking is configured, iBGP sessions might reset with the peer reporting:
UPDATE Message Error/Optional Attribute Error

The error is triggered by an UPDATE message that contains the EXTENDED_COMMUNITIES attribute with an empty list of extended communities.
To work around this issue, apply an extended community with a route map using import <vrf> route-map <name> in the importing VRF address family. Make sure that the route map contains the set extended community rt <value:vaue> command; for example, set extended community rt 11:22.
4.1.0-4.1.1
CM-29841The following vulnerabilities have been announced that affect Unbound:
CVE-2020-12662 and CVE-2020-12663 have been discovered in Unbound, a recursive-only caching DNS server; a traffic amplification attack against third party authoritative name servers (NXNSAttack) and insufficient sanitisation of replies from upstream servers could result in denial of service via an infinite loop.
Unbound is not provided for Cumulus Linux, but the libunbound8 library package is available for optional installation on Cumulus Linux.
Vulnerable: <= 1.9.0-2+deb10u1
Fixed: 1.9.0-2+deb10u2
4.0.0-4.1.1
CM-29830Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports.
To work around this issue, restart switchd.
3.7.10-4.1.1
CM-29808On the Mellanox switches with BFD configured, you might see high load averages.4.1.1
CM-29778If packets with an invalid checksum are received, the cumulus-poe service might restart and you see log messages similar to the following:
May 20 10:48:04.665635 leaf01 poed[8012]: ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.671299 leaf01 poed[8012]: poed : ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.708620 leaf01 systemd[1]: cumulus-poe.service: main process exited, code=exited, status=1/FAILURE
The service starts automatically but there is an impact to POE devices momentarily.
3.7.12, 4.0.0-4.1.1
CM-29760Several vulnerabilities were discovered in BIND, a DNS server implementation.
bind9-host (containing only /usr/bin/host) and some libraries from the bind9 source package are installed on the switch by default; the BIND server referred to in these vulnerabilities is not installed by default but is available in the repository for optional installation.
CVE-2019-6477: It was discovered that TCP-pipelined queries can bypass tcp-client limits resulting in denial of service.
CVE-2020-8616: It was discovered that BIND does not sufficiently limit the number of fetches performed when processing referrals. An attacker can take advantage of this flaw to cause a denial of service (performance degradation) or use the recursing server in a reflection attack with a high amplification factor.
CVE-2020-8617: It was discovered that a logic error in the code which checks TSIG validity can be used to trigger an assertion failure, resulting in denial of service.
Vulnerable: 9.11.5.P4+dfsg-5.1
Fixed: 9.11.5.P4+dfsg-5.1+deb10u1
4.0.0-4.1.1
CM-29691The following vulnerability has been announced in the apt package:
CVE-2020-3810: Shuaibing Lu discovered that missing input validation in the ar/tar implementations of APT, the high level package manager, could result in denial of service when processing specially crafted deb files.
Vulnerable: <= 1.8.2
Fixed: 1.8.2.1
4.0.0-4.1.1
CM-29576The Conntrack table fills up with OFFLOAD entries for flows that do not match the NAT rules in iptables.4.1.0-4.1.1
CM-29568When NAT is configured, non-NAT traffic is incorrectly forwarded to the CPU.4.1.0-4.1.1
CM-29556The following vulnerability has been announced that affects ntp:
CVE-2020-11868: ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp.
This affects: ntp-4.2.8p12 (possibly earlier) and ntp-4.2.8p13
The fix for https://bugs.ntp.org/3445 introduced a bug whereby a system that is running ntp-4.2.8p12 or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim’s next poll to its source to be delayed, for as long as the attack is maintained.
http://support.ntp.org/bin/view/Main/NtpBug3592 gives the following mitigations if it is not possible to upgrade to a version with the fix:
  • Use authentication with symmetric peers.
  • Have enough sources of time. The default NTP configuration in Cumulus Linux has four time sources.
Fixed: 4.2.8p12+dfsg-4+cl4u13
3.0.0-4.1.1
CM-29513Configuration of interfaces fails to apply when you set FEC. You see a message similar to the following:
cmd ‘/sbin/ethtool –set-fec  encoding rs’ failed: returned 255      (Cannot set FEC settings: Connection timed out

To work around this issue, reapply the configuration with NCLU and run the net commit or ifreload -a a second time to allow the interface configuration to apply.
4.1.1
CM-29485The following vulnerability affects the openldap package:
CVE-2020-12243: A vulnerability was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. LDAP search filters with nested boolean expressions can result in denial of service (slapd daemon crash).
Vulnerable: <= 2.4.47+dfsg-3+deb10u1
Fixed: 2.4.47+dfsg-3+deb10u2
4.0.0-4.1.1
CM-29468On the Dell S4148T optical module, the low power polarity bit is set incorrectly and the switch port does not come up.
To work around this issue, edit the /etc/hw_init.d/S10qsfp_init.sh file and change the lpmode line to be 0x3f instead of 0x00:
# disable lpmode, reset all QSFP+/QSFP28 ports
echo 0x3f > ${master_cpld}/qsfp_30_25_lpmode
echo 0x3f > ${master_cpld}/qsfp_30_25_modsel
echo 0x3f > ${master_cpld}/qsfp_30_25_reset

Reboot the switch and check that the switch port comes up.
Important: Before upgrading Cumulus Linux 4.x with Debian packages that includes a fix for this problem, you must change the lpmode line back to 0x00.
4.1.0-4.1.1
CM-29460The following security vulnerabilities affect qemu packages, which are available for optional installation on Cumulus Linux:
CVE-2019-12068: In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances ‘s->dsp’ index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
CVE-2019-15034: hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space.
CVE-2019-20382: QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.
CVE-2020-1983: A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service.
Vulnerable: <= 3.1+dfsg-8+deb10u4
Fixed: 3.1+dfsg-8+deb10u5
4.0.0-4.1.1
CM-29420When you configure the management interface class (as shown below), eth0 remains in an admin down state on subsequent reboots:
allow-mgmt eth0
iface eth0 inet dhcp
vrf mgmt
allow-mgmt mgmt
iface mgmt
address 127.0.0.1/8
address ::1/128
vrf-table auto

4.1.0-4.1.1
CM-29385The following vulnerability affects the openssl package:
CVE-2020-1967: Bernd Edlinger discovered that malformed data passed to the SSL_check_chain() function during or after a TLS 1.3 handshake could cause a NULL dereference, resulting in denial of service.
Vulnerable: <= 1.1.1d-0+deb10u2
Fixed: 1.1.1d-0+deb10u3
4.0.0-4.1.1
CM-29367On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.1
CM-29312FRR incorrectly orders advertise-all-vni to be later in the configuration than manual rd or route-target definitions. This causes the rd or route-target configuration to be misapplied or not applied at all.
To work around this issue, when you manually configure the rd or route-target for a VNI, you must manually edit the /etc/frr/frr.conf file to define advertise-all-vni before the rd or route-target configuration within the l2vpn evpn address family.
4.0.0-4.1.1
CM-29296The following vulnerabilities have been announced in git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.
Vulnerable: <= 2.20.1-2+deb10u1 (CVE-2020-5260) <= 2.20.1-2+deb10u2 (CVE-2020-11008)
Fixed: 2.20.1-2+deb10u3
4.0.0-4.1.1
CM-29284The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.
3.0.0-3.7.12, 4.0.0-4.1.1
CM-29270On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in switchd.log:
2020-04-07T15:59:27.345421+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1696 ERR member_fwd_update_cb spartan-bm87 collector set failed for swp3s0: Driver’s Return Status is Non-Zero
2020-04-07T15:59:27.345557+10:00 le-266-q14-2-res switchd[8422]:
2020-04-07T15:59:27.348432+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1705 ERR member_fwd_update_cb spartan-bm87 distributor set failed for swp3s0: Driver’s Return Status is Non-Zero

To work around this issue, configure fewer than 16 bonds on a switch.
4.1.0-4.1.1
CM-29183On the Mellanox SN2010 and SN2100 switch, the fan speed might ramp up and down.4.1.0-4.1.1
CM-29178On Mellanox switches, the thermal monitoring script starts in suspended mode and, as a result, the fans run at sixty percent. You also see the following log message:
hw-management.sh[847]: Thermal algorithm is manually suspend.

To work around this issue, run the following command to enable thermal monitoring:
cumulus@switch:~$ sudo echo 0 > /var/run/hw-management/config/suspend

4.0.0-4.1.1
CM-29165With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table.3.7.12-4.1.1
CM-29145If you try to remove BFD configuration with a reload, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object error.
You see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configuration.
To work around this issue, remove the default configuration lines; for example:
username cumulus nopassword

4.1.0-4.1.1
CM-29131NTP does not start when you use the default VRF instead of the management VRF.4.1.0-4.1.1
CM-29111Due to a packaging error, all switches installed from the same Cumulus Linux image have the same SSH host keys. This affects switches originally installed with Cumulus Linux 4.0.0 and 4.1.0 from a disk image only (including those that were upgraded by apt to a later release).As a result, this issue allows an attacker to more easily bypass remote host verification when a user connects by SSH to what is believed to be a previously used remote host but is really the attacker’s host. For example, this issue can be exploited by a spoofing or man-in-the-middle attack.To resolve this issue, generate new SSH host keys for any switch that has Cumulus Linux 4.0.0 or 4.1.0 installed on it:

cumulus@switch:~$ sudo rm /etc/ssh/ssh_host*
cumulus@switch:~$ sudo dpkg-reconfigure openssh-server
cumulus@switch:~$ sudo systemctl restart ssh

After generating new SSH host keys, SSH clients that have previously logged into that switch will see a warning that the switch’s SSH host key changed; this is expected behavior. Be sure to inform anyone who may log in to the switch that you generated new SSH host keys. These users must log in to the affected switches with their SSH clients, where they will be given instructions on how to remove the old SSH host keys from the known hosts files to avoid a spoofing or man-in-the-middle attack directed at their SSH clients.Notes
  • This issue is fixed in Cumulus Linux 4.1.1. However, Cumulus Networks recommends you generate new SSH host keys as this is the most reliable solution.
  • If you upgrade from Cumulus Linux 4.0.0 or 4.1.0 to version 4.1.1 or later using apt-get and you didn’t generate new SSH host keys, you will need to generate new SSH host keys after the upgrade.
  • If you perform a fresh install of Cumulus Linux 4.1.1 or later using a disk image, you will lose your existing local configuration.
4.0.0-4.1.0
CM-29068On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.1
CM-29044A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR.
3.7.11-3.7.12, 4.0.0-4.1.1
CM-28995After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
Note: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command.
3.7.10-3.7.12, 4.1.0-4.1.1
CM-28982On the EdgeCore Minipack-AS8000, when you try to configure ROCEv2, you see errors indicating that PFC is not working properly.4.0.0-4.1.1
CM-28948Cumulus Linux supports a maximum of 300 ACLs for use with 802.1X interfaces. This limit encompasses the default ACLs, pre-auth ACLs and dynamic ACLs. Exceeding this limit can affect the performance of the switch.4.1.0-4.1.1
CM-28944A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute <connected\|static> route-map <route-map-name> statement in the configuration.
3.6.2-4.1.1
CM-28925The global MTU setting in the mtu.json file does not take effect on SVI interfaces after ifreload -a.
To work around this issue, run sudo systemctl restart networking or restart the switch.
Note: A network restart is a disruptive operation.
4.1.0-4.1.1
CM-28900You might see a core file in FRRouting related to OSPFv3 if the switch is configured as both an OSPFv3 ABR and ASBR, and other switches in the same area are also configured as both ABR and ASBR. This issue is not seen with a single ABR or ASBR in an area or if there are multiple ASBRs in an area not acting as ABRs. To work around this issue, do not perform redistribution on more than one ABR in the same area.4.0.0-4.1.1
CM-28867The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog.3.7.5-3.7.12, 4.0.0-4.1.1
CM-28862On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert.3.7.12, 4.0.0-4.1.1
CM-28821When configuring VRF route leaking, if you define import vrf route-map <name> but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload.4.0.0-4.1.1
CM-28810When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory.3.7.11-3.7.12, 4.1.0-4.1.1
CM-28682On the Mellanox Spectrum switch in an EVPN symmetric configuration with MLAG, simultaneously shutting down the layer 3 interfaces that serve as uplinks to the VXLAN fabric might result in traffic loss of up to 15 seconds.4.1.0-4.1.1
CM-28656In OVSDB VLAN-aware mode, removing a VTEP binding on the NSX controller fails to clean up all interfaces associated with the logical switch.3.7.12, 4.0.0-4.1.1
CM-28596On the Dell Z9100 switch, 100G-SR4 modules might not link up reliably in certain ports.
swp1, 2, 3, 9, 10, 23, 24, 30, 31, and 32 might be affected
To work around this issue, move 100G SR4 modules to one of the ports not affected by this issue.
3.7.11-4.1.1
CM-28465When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error.3.7.11-4.1.1
CM-28442PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status.3.7.11-4.1.1
CM-28441If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns.3.7.11-4.1.1
CM-28376On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK.3.7.11-3.7.12, 4.0.0-4.1.1
CM-28340Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do not have this issue.
3.7.11-3.7.12, 4.0.0-4.1.1
CM-28189When host-resources and ucd-snmp-mib are polled, you see permission denied messages similar to the following:
Jan 30 19:22:53 switch123 snmpd[23172]: Cannot statfs /sys/kernel/debug/tracing: Permission denied

4.0.0-4.1.1
CM-28136The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:
RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink

3.7.10-4.1.1
CM-28078On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect.3.7.11-4.1.1
CM-28061On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic.3.7.11-4.1.1
CM-27982switchd crashes when dynamic VRF route leaking is enabled and the following is true:
  • The default route is leaked from VRF1 to VRF2
  • Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
    You might see logs similar to the following in /var/log/syslog:
    kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

    To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF).
3.7.10-3.7.12, 4.0.0-4.1.1
CM-27753The EdgeCore Minipack-AS8000 switch supports FEC RS by default; you cannot disable this setting. However, the ethtool --show-fec command output indicates that FEC is disabled. Also, if you try to change the FEC setting, Cumulus Linux reports an error. For example:
cumulus@switch:~$  net add interface swp23 link speed 100000
cumulus@switch:~$ net add interface swp23 link autoneg off
cumulus@switch:~$ net add interface swp23 link fec rs
”/sbin/ifreload -a” failed:
error: swp23: cmd ‘/sbin/ethtool –set-fec swp23 encoding rs’ failed: returned 255 (Cannot set FEC settings: Operation not supported)
Command ‘['/sbin/ifreload’, ‘-a’]’ returned non-zero exit status 1

4.0.0-4.1.1
CM-27678The net show bridge macs command returns an empty interface column.
To work around this issue, run the bridge fdb show command to show the interface.
4.0.0-4.1.1
CM-27637On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time.4.0.0-4.1.1
CM-27581On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present.
3.7.11-4.1.1
CM-27489Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.
To work around this issue, disable BFD to alleviate some of the CPU load.
4.0.0-4.1.1
CM-27254On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces.4.0.0-4.1.1
CM-27136With a high number of active routes (20K or more), when you perform a networking restart, the FRR log files might become flooded with error messages associated with the restart. These logs are normal and are not directly a problem. However, the large number of messages can cause the logs to rotate away any previous history, which prevents you from tracing back events leading up to the restart. In a troubleshooting environment, this can be problematic.4.0.0-4.1.1
CM-27049On the Mellanox switch with the Spectrum 2 ASIC, interfaces using 100G or 200G Direct Attach Cables (DACs) do not come up with the interface default configuration.
To work around this issue and bring the interfaces up, perform the following configuration on both sides of the link:
  • Set the interface speed to the desired speed
  • Set link auto-negotiation to off
  • Set link FEC to RS mode
4.0.0-4.1.1
CM-26875After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration.
3.7.9-4.1.1
CM-26841In the ethool -m output, the Revision Compliance field might show Unallocated when the SFF-8363 Revision Compliance value is SFF-8636 version 2.8 or later.4.0.0-4.1.1
CM-26655If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:
net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options.
3.7.9-4.1.1
CM-26147On the EdgeCore AS4610 switch, the ping command fails unless you run the command with sudo.
To work around this issue, run the following commands:
 cumulus@switch:~$ sudo setcap cap_net_raw+ep /usr/share/mgmt-vrf/bin/ping 
cumulus@switch:~$ sudo setcap cap_net_raw+ep /usr/share/mgmt-vrf/bin/ping6

Run the following command to verify the workaround:
 
cumulus@switch:~$ getcap /usr/share/mgmt-vrf/bin/ping*

You should see the following output:
 
/usr/share/mgmt-vrf/bin/ping = cap_net_raw+ep
/usr/share/mgmt-vrf/bin/ping6 = cap_net_raw+ep

3.7.6-3.7.10, 4.1.0-4.1.1
CM-26138You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:
-A FORWARD -i swp5 -s 00:25:90:b2:bd:9d -d 50:6b:4b:96:c4:04 -j erspan –src-ip 100.1.1.2 –dst-ip 100.1.1.1 –ttl 64

3.7.6-3.7.12, 4.0.0-4.1.1
CM-25923The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate.
3.7.8-4.1.1
CM-25766On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work.3.7.7-4.1.1
CM-24751On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status.3.7.3-4.1.1
CM-21769On the Mellanox switch, GRE tunneling does not work if the tunnel source is configured on an SVI interface. If the tunnel source is configured on a physical switch port, then tunneling works as expected.3.6.1-4.1.1