- 1 Overview
- 2 Security
- 3 New features
- 4 Upgrade notes
- 5 CLI changes
- 6 Configuration mode
- 7 Operational mode
- 8 Behaviour changes
- 9 Resolved issues
- 10 Development environment changes
- 11 Maintenance releases
1.0.0 release ("hydrogen" branch) is the first release after VC6.6 source code fork.
Release date: 2013 Dec 22
Vyatta Core installations can be upgraded by usual means, with "add system image", although digital signature verification will not be possible due to missing key in default VC setup. The solution is to add the public key manually.
VyOS images added from Vyatta Core are named "VyOS" without the version part in GRUB menu. It is a cosmetic problem and does not affect functionality.
Adding Vyatta Core images from VyOS may break the boot configuration and is not supported.
No existing configuration commands were modified or removed. For new commands see pages from "New features" section.
|show hardware scsi [detail]||Added||Lists SCSI devices|
|show hardware usb [detail]||Changed||Used to be "show system usb"|
|show users recent||Added||Displays recently logged in users|
- "show system memory" now displays buffer-adjusted ("intuitive") values. Use "show system memory detail" to view detailed information.
- Config file now can be selected at boot time with "vyos-config=/path/to/file" kernel option. See boot options documentation for details.
- Default timezome is now UTC.
- Default password hashing algorithm is SHA512 instead of MD5.
- NAT and firewall monitor commands issue a warning on attempt to monitor a rule that does not have "log enable" (as monitor is searching for specific message pattern in logs, those commands do not give any results for rules with disabled logging).
|Bug #3||Enhancement||"show system memory" should show human-readable buffer/cache-adjusted figures||Daniil Baturin|
|Bug #5||Enhancement||Add Ldap/Active Directory support to webproxy||Vyatta (Daniil Baturin)|
|Bug #24||Enhancement||"show users recent" command to show recent logins||Daniil Baturin|
|Bug #25||Enhancement||Ability to use Vyatta CLI command set from within scripts, non-interactive SSH sessions, cron jobs, etc||Vyatta (John Southworth, Daniil Baturin)|
|Bug #31||Text||During ISO boot, VGA screen changes to white||Daniil Baturin|
|Bug #51||Minor||/etc/timezone is not set correctly resulting in cron using UTC rather than system time||Daniil Baturin|
|Bug #55||Minor||Recovering lost Admin Password does not work as expected||Tom Martinson|
|Bug #56||Enhancement||Add option to select config at boot time||Daniil Baturin|
|Bug #57||Minor||Ensure correct switching between release and development builds||Daniil Baturin|
|Bug #58||Major||BGP config does not load properly with peer-groups||Daniil Baturin|
|Bug #62||Major||dhcpv6-relay not configuring relay address||Ubiquiti Networks (Stig Thormodsrud)|
|Bug #65||Enhancement||Make package repos used for image build configurable||Daniil Baturin|
|Bug #66||Enhancement||Remove dependencies on libsablot||Daniil Baturin|
|Bug #69||Enhancement||"show system usb" should be "show hardware usb"||Daniil Baturin|
|Bug #70||Enhancement||Add command to view SCSI devices||Daniil Baturin|
|Bug #76||Enhancement||Add task scheduler support||Daniil Baturin|
|Bug #77||Major||CVE-2013-6075: Remote DoS and privilege escalation in StrongSWAN||Martin Willi (pulled from StrongSWAN)|
|Bug #79||Enhancement||Replace original "one repo per branch" layout with debian-like "distribution per branch"||Daniil Baturin|
|Bug #81||Enhancement||Update dhcp server version to upstream||ISC, merging and reintegrating patches—Mikhail Vasiliev|
|Bug #89||Enhancement||Unused dependencies on package vyatta-strongswan||Kim Hagen|
|Bug #91||Enhancement||Change password hashing algorithm from MD5 to SHA512||Ubiquiti Networks (Stig Thormodsrud)|
|Bug #92||Enhancement||Change default timezone from GMT to UTC||Daniil Baturin|
|Bug #93||Minor||Set distribution in default config to the current release branch instead of 'stable' to prevent accidental upgrade to different release||Daniil Baturin|
|Bug #95||Enhancement||"monitor nat ... rule" and "monitor firewall ... rule" commands should issue a warning if logging is not enabled for that rule||Daniil Baturin|
|Bug #96||Trivial||Image version is not displayed in GRUB menu||Daniil Baturin|
Development environment changes
Build system now allows to select package mirrors that will be used for image build with "--with-debian-bootstrap-mirror=", "--with-debian-mirror=", and "--with-vyos-mirror=" configure options.
Release date: 2014 Jan 19
|Bug #98||Minor||"add system image" doesn't work with HTTP redirects||Daniil Baturin|
|Bug #113||Major||Syntax error in LimiterClass.pm||Chris Wadge|
|Bug #121||Minor||Warning on "show dhcp server leases" when failover is configured||Roman, Daniil Baturin|
Release date: 2014 Feb 04
|Bug #135||Major||ipsec.secrets always put 0.0.0.0 peers at top of the list||Ubiquiti Networks (Stig Thormodsrud)|
|Bug #133||Major||snmp v3 user settings lost after reboot||Vyatta|
Experimental VMWare OVA added.
Release date: 2014 May 09
This release fixes two security problems:
- DSA-2922: remote DoS in StrongSWAN 
- CVE-2014-2338: authentication bypass vulnerability in IKEv2 in StrongSWAN 
Because of mistake in merging branches, an important fix for SSH keys fetching on AWS platform did not get into release. This will be corrected by a new maintenance release shortly.
|Bug #144||Major||VyOS configure will fail to load if using policy route with firewall groups||Cesar Fazan|
|Bug #146||Enhancement||Account RemoteIP sessions to a radius Calling-Station-Id (PPTP and and L2TP)||Toni Cunyat|
|Bug #148||Text||'ping' does ipv6 too, but help only mentions IPv4||Mark Schouten|
|Bug #151||Minor||"show openvpn server status" displays incorrect tunnel IPs||Paul Gear|
|Bug #156||Minor||"show version" displays "unknown kernel version" error on *-vyos kernels||Daniil Baturin|
|Bug #157||Text||"show version" displays "Intel 64bit" system type regardless of actual CPU vendor||Daniil Baturin|
|Bug #169||Major||unable to add domain to url-filterering squidguard||Daniil Baturin|
|Bug #172||Major||OpenVPN configuration failure with concatenated CA file||Ryan Robertson|
|Bug #180||Minor||save config using scp fails||Hiroyuki Sato|
|Bug #183||Minor||VTI will not be up automatic when IPsec SA up||Masakazu Asama|
|Bug #185||Minor||Conntrack logging fails to start on boot||Kim Hagen|
|Bug #187||Text||initramfs scripts suggest to report a bug to debian||Daniil Baturin|
|Bug #199||Major||DSA-2922-1: remote DoS vulnerability in StrongSWAN||Tobias Brunner (pulled from StrongSWAN)|
|Bug #201||Minor||CVE-2014-2338: authentication bypass vulnerability in IKEv2||Martin Willi (pulled from StrongSWAN)|
Release date: 2014 June 16
Security issues resolved:
|Bug #207||Minor||Standard packages in vyos from debian squeeze need updating||Debian developers|
|Bug #214||Minor||Tasks with h and d prefixes run more often than they should||mjpcomp|
|Bug #217||Minor||CLI allows interval values longer than the natural interval (e.g. over 60 minutes)||Daniil Baturin|
|Bug #232||Major||task-scheduler: delete on 1 task, deletes them all||Stig Thormodsrud|
Release date: 2014 September 26
If you are using Amazon Web Services, pick the vyos-1.0.5-amd64.iso image.
Security issues resolved:
- CVE-2014-7169 ("shellshock 2.0")
- CVE-2014-6271 (the original "shellshock")
- DSA-3031-1 (buffer overflow in APT)
- DSA-3025-1 (data invalidation problem in APT)
- DSA-3024-1 (side-channel attack on Elgamal encryption subkeys in GnuPG)
- DSA-3022-1 (incorrect cookie handling in curl)
- DSA-3021-1 (multiple vulnerabilities in file utility)
- DSA-3012-1 (buffer overflow in glibc)
- DSA-2998-1 (multiple vulnerabilities in OpenSSL)
- DSA-2978-1 (denial of service in libxml2 entity substitution)
On Amazon Web Services you may not be able to modify the config after first boot when you deploy the AMI. If you get "set failed" error in response to configuration commands, reboot the machine.
The issue does not affect subsequent operations. Will be fixed in the upcoming 1.1.0 release.