1.1.0/release notes

From VyOS
Jump to: navigation, search

Overview

1.1.0 release ("helium" branch) is the feature expansion release following 1.0.x series.

New features

Experimental features:

New pipes:

| strip-private — removes private information from the conf mode "show" output.

# show system login | strip-private 
 user xxxxxx {
     authentication {
         encrypted-password xxxxxx
     }
     level admin
 }

| commands — converts conf mode "show" output to set commands.

# show interfaces tunnel | commands 
set tunnel tun0 encapsulation 'gre'
set tunnel tun0 local-ip '10.46.1.242'
set tunnel tun0 remote-ip '10.91.19.1'

Upgrade notes

Both legacy VC systems and VyOS 1.0.x systems can be upgraded with "add system image", no special actions needed.

CLI changes

Configuration mode

Changes to already existing features:

Command Status Comment
set interfaces ethernet ethX pppoe X disable Added Administratively disables a PPPoE session
set interfaces ethernet eth0 pppoe 0 default-route <auto none force> Modified Allows "force" option to force default route via PPPoE session
set vpn pptp remote-access authentication require <chap pap mschap mschap-v2> Added Require specific authentication protocol
set interfaces openvpn vtunX server reject-unconfigured-clients Added Rejects clients that are not configured under "server client" (OpenVPN --ccd-exclusive option)
set interfaces openvpn <name> persistent-tunnel Added --persist-tun OpenVPN option
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip disable-arp-filter Added Disables ARP filter on an interface
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-accept Added Enables arp-accept on this interface
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-announce Added Enables arp-announce on this interface
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-ignore Added Enables arp-ignore on this interface
set system options ctrl-alt-del-action <ignore reboot poweroff> Added Changes actions the system performs on Ctrl-Alt-Del (default is ignore)
set firewall twa-hazards-protection <enable disable> Added Enables or disables RFC1337 TIME-WAIT assasination hazards protection
set interfaces <type> <name> ip source-validation <disable loose strict> Added Sets source validation policy for specified interface
set interfaces ethernet ethX ipv6 router-advert name-server <ipv6 address> Added Sets RFC6106 name server to advertise in RA
set protocols rip passive-interface <interface-name or "default"> Modified "default" option is now available
set system syslog host <host> facility <facility> protocol (tcp udp) Added Sets remote syslog protocol to TCP or UDP
set service snmp smux-peer <oid> Added Sets SMUX peer OID
set vpn ipsec ike-group <group> proposal <proposal> dh-group <2 5 14-26> Modified DH groups 14 to 26 can be set now, apart from 2 and 5
set vpn ipsec <ike-group esp-group> proposal <proposal> hash <md5 sha1 sha256 sha384 sha512> Modified Accepts SHA2 sums now, apart from MD5 and SHA1
set vpn ipsec ike-group <group> key-exchange <ikev1 ikev2> Added Sets key exchange protocol version. Default is IKEv2.
set vpn ipsec ike-group <group> mobike <enable disable> Added Enables or disables MOBIKE. For IKEv1, default is disable; for IKEv2, default is enable.
set service ssh ciphers <ciphers list> Added Restricts SSH to ciphers from the list
set interfaces ... ip proxy-arp-pvlan Added Enable private VLAN proxy ARP for the interface
set system disable-dhcp-nameservers Added Disable DHCP updates to system name servers (make sure you manually configure them)

Operational mode

Command Status Comment
restart webproxy clear-cache Added Clears webproxy cache and restarts the process (it's not possible to clear cache without restart)
force arp reply interface <interface name> address <IP address> Added Sends gratuitous ARP reply for specific address
force arp request interface <interface name> address <IP address> Added Sends gratuitous ARP request for specific address
show system memory cache Fixed Shows kernel cache information
show ip route cache Deprecated Returns nothing now, as route cache was removed from the kernel

Behaviour changes

Command/action/component Change Old behaviour Motivation
run generate openvpn key <file> Places the key file in /config/auth unless a full path is specified Used to place it in current user home dir Ease of use, persistence through upgrades
DHCPv6 server DHCPv6 server leases are now stored in /config Used to store it in /var/lib Persistence through upgrades
Firewall groups Firewall port-groups and address-groups now use native IPset range feature Used to call IPset repeatedly for each member Performance
Wireless First offered cipher is now CCMP Used to offer TKIP and then CCMP Some broken clients use the first offered cipher

Resolved issues

Bug ID Severity Title Contributor
Bug #2 Enhancement Add a command to clear the squid web proxy cache Ewald van Geffen
Bug #7 Descriptions for openvpn interfaces are invisible in "show interfaces" Enhancement Alex Harpin
Bug #8 Enhancement 'generate openvpn key <filename>' should place the key file in the appropriate/suggested directory (/config/auth) Daniil Baturin
Bug #12 Provide a config parameter to administratively disable a pppoe session. Enhancement Daniil Baturin
Bug #13 Enhancement PPTP/L2TP: provide options to require or refuse individual authentication protocols Toni Cunyat
Bug #14 Enhancement openvpn - add ability on server to limit connection to clients with existing configuration files Daniil Baturin
Bug #19 Enhancement Add support for 802.1ad "Q-in-Q" VLANs Kim Hagen
Bug #21 Enhancement Add the ability to adjust system ARP settings via the CLI on a per interface basis Kim Hagen
Bug #37 Enhancement Add Linux Standards Base release package Kim Hagen, Daniil Baturin
Bug #39 Enhancement Add op-mode commands to send gratuitous ARP messages Daniil Baturin
Bug #45 Minor better input validation could avoid messy iptables error output for misconfigured ports Daniil Baturin
Bug #71 Minor "show system memory cache" gives "permission denied" message Kim Hagen
Bug #73 Enhancement Make Ctrl-Alt-Del behaviour configurable hydrajump
Bug #82 Enhancement Add support for Hyper-v vlan trunking Kernel developers
Bug #86 Minor Qos Bug with multiple class match rules Ubiquiti (Stig Thormodsrud), Carl Byington
Bug #87 Trivial Values for "authoritative" option don't show up in completion Daniil Baturin
Bug #97 Text System shows "Linux vyatta 3.3.8-1-amd64-vyatta" at login Daniil Baturin
Bug #99 Minor build-iso README is outdated Daniil Baturin
Bug #100 Enhancement Automate build environment setup Hiroyuki Sato
Bug #102 Trivial No completion for as-path-list in route-map rule Daniil Baturin
Bug #104 Enhancement Add an option to remove private information from displayed config Daniil Baturin
Bug #108 Enhancement Utilize Linux-specific implementation of RFC1337 Daniil Baturin
Bug #115 Minor Syntax: CLI allows users to commit namespaces reserved by IPTables (MARK, CONNMARK, etc.) Daniil Baturin
Bug #122 Minor DHCPv6 server lease file is written to /var/log which is not preserved through image upgrades Daniil Baturin
Bug #128 Trivial IpSet.pm still calls ipset for each port in a port-range making a complex firewall boot last ages Paweł Pierścionek, Daniil Baturin
Bug #129 Text Extra quote in "set protocols ospf distance global" help string Trick van Staveren
Bug #147 Enhancement Please implement BCP38 (Reverse Path Filtering) Ubiquiti (Stig Thormodsrud)
Bug #149 Enhancement Please implement VrrpV6 Florian Fuessl
Bug #152 Enhancement Router Advertisment RFC4191 Specific Routes and RFC6106 DNS configuration not impimented in CLI and Vyos configuration Ivan Malyarchuk
Bug #159 Enhancement Feature Request: Support for "dummy" interface configuration Daniil Baturin
Bug #160 Minor Invalid DHCP configuration can cause dhcpd to silently fail Alex Harpin
Bug #170 Enhancement Add unmanaged L2TPv3 support Yuya Kusakabe
Bug #171 Minor Non-optimal partition alignment in installer hydrajump, Daniil Baturin
Bug #178 Major Please *don't* remove non-PAE capability Daniil Baturin
Bug #181 Minor Check to verify private key may fail for certain valid keys Ralf Ertzinger
Bug #182 Minor System DHCP client behavior overrides hard-coded DNS settings Alex Harpin
Bug #186 Enhancement RIP passive-interface "default" missing from config template Kim Hagen
Bug #195 Enhancement Send message to remote syslog server over UDP or TCP Abdelouahed Haitoute
Bug #196 Enhancement Add smuxpeer in snmpd.conf Abdelouahed Haitoute
Bug #197 Enhancement Add support for additional DH groups to IPsec Ryan Riske
Bug #200 Major UNIONTYPE=overlayfs seems to break helium iso builds since 2014-04-25 Patrick van Staveren, Hiroyuki Sato, Kim Hagen, Daniil Baturin
Bug #204 Minor wireless-hostapd: ensure the cipher value given is used by hostapd Alex Harpin
Bug #205 Minor wireless-hostapd: set the default cipers to CCMP TKIP Alex Harpin
Bug #218 Text traffic-policy help is hard to understand Hiroyuki Sato
Bug #220 Enhancement Add support for SHA2 hashes Rian Riske
Bug #221 Minor Openvpn server mode makes remote client loose default openvpn on dhcp renew Toni Cunyat
Bug #222 Enhancement Initial IKEv2 Support Jeff Leung
Bug #223 Minor Remove automatic IKE version negoiation Jeff Leung
Bug #224 Enhancement Initial MOBIKE Configuration Support Jeff Leung
Bug #225 Minor wireless-config: fix "use of uninitialized value" warning Alex Harpin
Bug #230 Major radvd only respecting last interface in radvd.conf Daniil Baturin
Bug #231 Enhancement OpenSSL 0.9.8za included in VyOS Kim Hagen
Bug #233 Major task-scheduler: restart script missing Ubiquiti (Stig Thormodsrud)
Bug #234 Minor task-scheduler should verify valid cron file name Ubiquiti (Stig Thormodsrud)
Bug #237 Enhancement Add support for cipher and macs overrides in SSH server neutralrockets
Bug #239 Enhancement Getting the version number by using dpkg will not work when upgrading to newer version of debian. Kim Hagen
Bug #241 Major IPsec VPN allows protected traffic out unencrypted before IKE negotiation completes Ryan Riske
Bug #245 Minor vyos constant "failed to get vmstats" spam to /var/log/messages from vmware-tools vmsvc Kim Hagen
Bug #246 Enhancement Allow configuring/changing VyOS Linux bridge /sys multicast IGMP querier settings Daniil Baturin
Bug #247 Major VyOS helium Linux 3.13 kernel .config doesn't have vmxnet3 driver enabled/available Kim Hagen
Bug #250 Trivial Helium build fail Cause "Untrusted packages could compromise your system's security" Alex Harpin
Bug #251 Enhancement Add ability to convert config mode "show" output to set commands Daniil Baturin
Bug #255 Minor dnsmasq returns 127.0.1.1 to clients requesting the VyOS router's name Daniil Baturin, Paul Gear
Bug #256 Major When for reboot, Configuration of L2TPv3 is not load ftoyama
Bug #258 Major Unable to add l2tp_ip module for L2TPv3 over ip ftoyama
Bug #259 Major unable to delete tunnel Daniil Baturin
Bug #261 Minor Quotes in snmpd.conf sysLocation and sysContact not required Alex Harpin
Bug #262 Minor vyatta-op-vpn: prevent invalid rsa key file from being generated Alex Harpin
Bug #263 Major vyos-kernel: enable atheros wireless drivers in the helium 3.13 kernel Alex Harpin
Bug #265 Trivial linux-firmware: remove deprecated ar9170usb firmware Alex Harpin
Bug #266 Major vyos-kernel: enable atheros HTC drivers in the helium 3.13 kernel Alex Harpin
Bug #267 Major vyos-kernel: enable atheros USB drivers in the helium 3.13 kernel Alex Harpin
Bug #268 Major linux-firmware: add carl9170 firmware required by kernel module Alex Harpin
Bug #269 Trivial GRUB menu says it's an AWS AMI even if it's not Daniil Baturin
Bug #270 Enhancement Add an option to always replace default route Ewald van Geffen
Bug #271 Enhancement Add an event handling mechanism Daniil Baturin, Jon Andersson
Bug #274 Trivial IPv6 RA "send-advert", "other-config-flag", and "managed-flag" lack value completion Daniil Baturin
Bug #276 Enhancement vyos-kernel: update config files for the latest kernel Alex Harpin
Bug #278 Trivial vyatta-op-vpn: display the config path location for the rsa key file Alex Harpin
Bug #280 Enhancement vyos-kernel: enable realtek rtl8723ae kernel modules for all configs Alex Harpin
Bug #281 Enhancement vyos-kernel: enable kernel stack overflow protection for all configs Alex Harpin
Bug #282 Enhancement vyos-kernel: disable host virtualisation in the 586-vyos-virt config Alex Harpin
Bug #283 Enhancement vyos-kernel: disable kernel debugging for all configs Alex Harpin
Bug #285 Major Cannot delete bond interface with vif Kim Hagen
Bug #291 Minor vyatta-cfg-vpn: fix for vti interface going down remains routed Alex Harpin
Bug #292 Minor Inconsistent dhcpdv6.leases location Kim Hagen
Bug #295 Minor wireless-hostapd: set default ciphers used based on the wpa mode Alex Harpin
Bug #296 Text Tidy up output on "show dhcp server leases" Alex Harpin
Bug #297 Enhancement Sticky incoming connection support for WLB Ewald van Geffen
Bug #300 Major Entering configuration mode as root screws up running config permissions Daniil Baturin
Bug #301 Major Enable VXLAN kernel module for 586-vyos kernel version Alex Harpin
Bug #303 Minor tail is not working (tailing) Alex Harpin, Daniil Baturin
Bug #305 Minor Allow interfaces with dhcp addresses to be deleted Alex Harpin
Bug #306 Enhancement Add proxy_arp_pvlan support Shane Short, Daniil Baturin
Bug #308 Enhancement vyatta-cfg-system: add 'set system allow-dhcp-nameservers' option Alex Harpin
Bug #309 Enhancement Expand 'set system allow-dhcp-nameservers' logic Alex Harpin
Bug #314 Enhancement Rename allow-dhcp-nameservers and change to typeless Alex Harpin
Bug #317 Enhancement vyatta-cfg-vpn: add libnfnetlink-dev to build dependencies Alex Harpin
Bug #318 Enhancement Add support for persistent tunnels (--persist-tun) in OpenVPN Alex Harpin
Bug #320 Text Tidy up output on "show openvpn <type> status" messages Alex Harpin
Bug #321 Major Shaping does not work for PPPoE interfaces Alex Harpin
Bug #326 Major Import patch from Redhat for CVE-2014-7169 Alex Harpin, Daniil Baturin
Bug #331 Trivial Show vpn ipsec status always returns "no IP on interface..." Trick van Staveren
Bug #332 Minor Prevent duplicate local rsa key includes Alex Harpin
Bug #333 Major Return correct path for pppoe or pppoa interfaces Alex Harpin
Bug #335 Minor AWS: New instance can't be configured until after reboot Patrick van Staveren
Bug #337 Major After upgrade from 1.0.3 to 1.1.0beta1, VRRP unable to communicate with other node Daniil Baturin
Bug #341 Minor Allow dhcp and dhcpv6 addresses to be deleted Alex Harpin

Development environment changes

  • Added "tools/setup-vyos-build-env" script that automatically setups basic ISO build dependencies.

Maintenance releases

1.1.1

Release date: 2014 December 8

Download: http://packages.vyos.net/iso/release/1.1.1/

Security

Security issues resolved:

Known issues / Workaround

Due to an issue with the OpenSSL package used for Helium, the 64-bit image released for 1.1.0 caused segmentation faults when using SSH on this platform. This is due to a failure of the SSH host key creation process on this platform. The 1.1.1 release contains a downgraded version of the OpenSSL package, correcting this issue, while this is investigated (Bug #345)

Resolved issues

Bug ID Severity Title Contributor
Bug #147 Enhancement Please implement BCP38 (Reverse Path Filtering Ubiquiti Networks (Stig Thormodsrud), Ryan Riske
Bug #191 Minor ipv6 BGP Clear via soft in/out agusr
Bug #312 Minor OpenVPN CLI allows remote and local address to be the same Daniil Baturin
Bug #334 Minor DHCP sends incorrect hostname to client when use-host-decl-names is on Alex Harpin
Bug #336 Major Login block deleted on reboot when user does not have password Alex Harpin
Bug #340 Minor configuration backup command doesn't work Alex Harpin
Bug #342 Minor Password reset only works for the "vyos" user Alex Harpin
Bug #350 Major LDAP Auth through Vyos Daniil Baturin
Bug #351 Major there is mistake into squid.conf Daniil Baturin
Bug #354 Major PPTP doesn't work when required authentication protocol is not specified Daniil Baturin
Bug #355 Enchancement vyatta-cfg-system: set default vyos password hash to sha-512 when reset Alex Harpin
Bug #364 Minor ppp potential local privilege escalation CVE-2014-3158 Toni Cunyat
Bug #381 Major VxLAN's "link" option does not work Hiroshi Umehara

1.1.2

Release date: 2015 January 22

Security

Several vulnerabilities in NTP have been fixed: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295.

Compatibility notes

Before the fix for Bug #415 the system allowed using "authentication remote-id" option for peers with "@something names" but didn't use it in any way; it used to be undefined and undocumented behaviour. Now remote-id option overrides the peer name id in this case. If you left it configured by mistake in a "@something" peer, remove it.

Resolved issues

Bug ID Severity Title Contributor
Bug #345 Major SSH command returns "Segmentation fault" Debian team, Hiroyuki Sato, Alex Harpin
Bug #348 Minor Pre-shared key regex is too restrictive Daniil Baturin
Bug #350 Major Squidguard is built without LDAP support Igor Golubkov, Alex Harpin
Bug #358 Major Can't reach other side of VTI IPsec tunnel but can see packets on VTI interface Alex Harpin
Bug #388 Major IKEv2 SA's are not shown in "show vpn ipsec sa" Jason Hendry
Bug #395 Major IKEv2 Strongswan Re-Authentication Bug Jason Hendry
Bug #396 Minor Fix "show vpn ike sa" when reauth=no Jason Hendry
Bug #398 Minor "show vpn ipsec sa" does not show left/right subnets with IKEv2 Jason Hendry
Bug #403 Major Multiple users changing the running config may cause config subsystem internal errors Alex Harpin
Bug #405 Major VTI Routing broken over ipsec Alex Harpin
Bug #411 Minor Loading SSH key with spaces in comment fails Jared Baldridge
Bug #414 Minor Site-to-site IPsec config script doesn't quote local id properly Daniil Baturin
Bug #415 Minor remote-id option doesn't override rightid for peers with @id names Daniil Baturin
Bug #418 Major ntp: import RedHat patch to fix CVE-2014-9293 RedHat, Alex Harpin
Bug #419 Minor ntp: import RedHat patch to fix CVE-2014-9294 RedHat, Alex Harpin
Bug #420 Major ntp: import RedHat patch to fix CVE-2014-9295 RedHat, Alex Harpin
Bug #421 Minor ntp: import RedHat patch to fix CVE-2014-9296 RedHat, Alex Harpin
Bug #431 Minor IKEv2 SA Information Sometimes Fails Jason Hendry
Bug #438 Minor show host domain replies (none) Alex Harpin
Bug #451 Trivial Update pre-shared secret key help for single quotes Alex Harpin

1.1.3

Release date: 2015 January 28

Security

Security issue resolved:

1.1.4

Release date: 2015 March 09

Security

Resolved security issues:

Compatibility notes

Operational mode command "show shutdown" was renamed to "show poweroff".

Resolved issues

Bug ID Severity Title Contributor
Bug #35 Minor Unable to configure webproxy listen-address when it's associated with an OpenVPN tunnel interface Igor Golubkov, Alex Harpin
Bug #130 Minor VRRP group description is not displayed Alex Harpin
Bug #298 Minor On shutdown the SSH session on the client does not get disconnected Alex Harpin
Bug #329 Minor L2TP IPSec does not accept connections if PSK contains special characters Alex Harpin
Bug #343 Minor "Malformed lease" when we have an abandoned DHCP lease Alex Harpin
Bug #367 Minor Incorrect PFS config generation in DMVPN Kim Hagen
Bug #377 Trivial Pipe (for conversion) to commands should only be available in config context Daniil Baturin
Bug #382 Minor Removing system ipv6 forwarding causes script error Carl Byington, Hiroyuki Sato
Bug #400 Major OpenVPN denial of service vulnerability (CVE-2014-8104) OpenVPN maintainers, Alex Harpin
Bug #401 Minor IKEv2 SA Info not displaying when rekeying is disabled Jason Hendry
Bug #402 Minor "show vpn ike sa" displays the wrong information for DH-group Jason Hendry
Bug #423 Major Webproxy ldap auth with spaces in binddn and ldap port with squidGuard Igor Golubkov
Bug #433 Minor reject-unconfigured-clients statement does not work Sean Maguire, Alex Harpin
Bug #441 Minor wan-load-balance service does not reliably daemonize Chris Wadge, Alex Harpin
Bug #453 Text vyatta-wireless: update wpa passphrase help for single quotes Alex Harpin
Bug #460 Enhancement vyatta-op: update the system poweroff cli command to be script based Alex Harpin
Bug #461 Enhancement vyatta-op: replace 'show shutdown' with 'show poweroff' and use script Alex Harpin
Bug #468 Minor resolv.conf - invalid format causing extra DNS request Andreas Sundstrom, Alex Harpin
Bug #481 Enhancement linux-firmware: Support for new Intel Wi-Fi devices (3160, 7260) Firmware authors
Bug #483 Enhancement linux-firmware: add Intel iwlwifi firmwares Firmware authors
Bug #487 Trivial Non-commited firewall names do not autocomplete Daniil Baturin
Bug #490 Major Can't commit dhcpv6-options for client on ethernet interface Daniil Baturin
Bug #491 Minor DHCPv6 client CLI allows temporary and parameters-only to be configured at the same time Daniil Baturin
Bug #492 Minor DHCPv6 client CLI doesn't fail commit in case of errors Daniil Baturin
Bug #498 Major Operator level users are allowed to execute remote commands via SSH Daniil Baturin

1.1.5

Release date: 2015 March 25

Security

The following security issues in OpenSSL were resolved in 0.9.8zf:

  • CVE-2015-0287 (memory corruption in ASN.1 parsing).
  • CVE-2015-0286 (denial of service in ASN1_TYPE_cmp() function).
  • CVE-2015-0289 (NULL pointer dereference in the PKCS#7 parsing code, resulting in denial of service).
  • CVE-2015-0293 (denial of service via a crafted SSLv2 CLIENT-MASTER-KEY message).
  • CVE-2015-0209 (malformed EC private key may result in memory corruption).
  • CVE-2015-0288 (missing input sanitising in the X509_to_X509_REQ() function might result in denial of service).

Resolved issues

Bug ID Severity Title Contributor
Bug #473 Minor VIF Interfaces do not set MTU properly at boot for Jumbo Frames Alex Harpin
Bug #508 Major dhcpv6-options doesn't work on VIF interfaces Benjamin Beret
Bug #521 Major If a quagga daemon crashes, it can't be restarted Daniil Baturin
Bug #522 Major Update OpenSSL to upstream version 0.9.8zf OpenSSL developers, Alex Harpin (packaging)
Bug #528 Major Removing "address-family ipv6-unicast" from a BGP neighbor removes the whole neighbor Daniil Baturin
Bug #529 Trivial vyatta-cfg-quagga builds useless packages Daniil Baturin

1.1.6

Release date: 2015 Aug 17

Security

The following security issues are resolved in this release:

Resolved issues

Bug ID Severity Title Contributor
Bug #406 Minor No completion for uncommited firewall group names in rulesets Daniil Baturin
Bug #434 Minor Client configuration file not configured unless client options present Alex Harpin
Bug #509 Text Top Level CLI help Merge bad formatting Alex Harpin
Bug #517 Minor commit-archive with scp location fails on self signed ssh keys Alex Harpin
Bug #541 Major Creation of L2TPv3 interface with IPv6 endpoints fails Daniil Baturin
Bug #557 Major 'delete system login user' doesn't remove the user Alex Harpin
Bug #567 Minor The strip-private command fails to remove SSH keys Alex Harpin
Bug #573 Major missing encrypted-password breaks user config node Alex Harpin

Notes

This release image includes an updated public key (A0FE6D7E).

1.1.7

Release date: 2016 Feb 17

Security

This release resolves the following major security issue:

  • CVE-2015-7547 (glibc stack-based buffer overflow when the getaddrinfo() library function is used)