EdgeMAX EdgeRouter software release v1.8.5

by Previous Employee UBNT-ancheng ‎06-13-2016 03:22 PM - edited ‎06-14-2016 03:15 PM

New EdgeMAX software version v1.8.5 for EdgeRouter products has been released and is available here:

 

 

As discussed before the focus of this release is on bug fixes and there are many fixes/enhancements based on reports/feedback from community members. In addition, there are also several new features (offload, per-port VLAN, traffic analysis/DPI) for the ER-X platform, and more details can be found in the release notes below. Thanks everyone for reporting issues, providing feedback, and participating in the alpha/beta testing to help us improve the products!



[Release Notes v1.8.5]

 

Changelog

 

Changes since v1.8.0

 

New features

 

  • [Offload] Add "Hardware NAT" offload function for the ER-X platform (i.e., ER-X, ER-X-SFP, and EP-R6 models), which can significantly improve packet forwarding performance while reducing CPU utilization. Currently this supports IPv4 and IPv6 traffic including VLAN, PPPoE, bridging, etc. Currently this is disabled by default and can be enabled by:

    set system offload hwnat enable
    
    This has been discussed with many community members including @veresk @dpurgert @Ubeavis @jacktooandroid @mike99 @ashamon @Isolus @Unwired @ngilles @Psudo @mobbarley @dremon @guran @jamesfry @Deleted Account @jjonsson @foresto @sagho @stcbus @o_cee @BranoB @ConnorM @bjck @hazuki @charettepa @frinnst @gaetancambier @raidz2 for example in these threads: 1 2 3 4.

  • [Switch] Add "per-port VLAN" feature for the ER-X platform. Now "untagged" and "tagged" VLANs can be set for each port in "switch mode" on the ER-X platform (including ER-X, ER-X-SFP, and EP-R6). This can be configured using configuration dialog for switch0 in the Web UI:
    switch.png
    Or using the CLI, for example:
    set interfaces switch switch0 switch-port vlan-aware enable
    set interfaces switch switch0 switch-port interface eth3 vlan pvid 100
    set interfaces switch switch0 switch-port interface eth3 vlan vid 200
    set interfaces switch switch0 switch-port interface eth3 vlan vid 300
    
    This would set VLAN 100 to be "untagged" on port eth3, and VLANs 200 and 300 are "tagged" on port eth3. Note that the global "vlan-aware" setting (default disabled) enables the new "per-port VLAN" feature. If this is not enabled the swith ports will function the same way as before, i.e., simple L2 switching with no per-port VLAN and will pass all VLANs automatically. Also none of the per-port VLAN settings will have any effect if vlan-aware is not enabled.

    The per-port VLAN feature has been discussed with many community members before including @fmcajello @encryptor @intrepid @nkelischek @davidlacey @pwolf dpurgert @mld @rebelwireless @bflikkema @heli0s @novelty22 @NVX @spynappels @mhohman @Briain Unwired @eejimm @Magician @ClaudeSS @Paetur @JimBouse @esseph @dragon2611 BranoB @Dave-D , for example in these threads: 1 2 3 4 5 6 7 8 9.

  • [DPI/Traffic Analysis] Add DPI and Traffic Analysis features for the ER-X platform (including ER-X, ER-X-SFP, and EP-R6 models). This means all current models now have support for DPI/Traffic Analysis. The features function as with the other platforms, and it is disabled by default as well and can be enabled from the Web UI Traffic Analysis page or using the CLI:
    set system traffic-analysis export enable
    set system traffic-analysis dpi enable
    
    This has been discussed with many community members before including @WisTech @rdahlin @snapper @HillHeadTim dragon2611 @RyLeeRyno ConnorM @keefe007 NVX gaetancambier @jbrisko @calpines @psych0l @skoenman @pokwer @twoolums @idxman01 @plopes1960 Ubeavis @No_WaY @voiprouting @djwujek Psudo , for example in these threads: 1 2 3 4 5 6 7 8.

    A few things to note:
    • If the new "HW NAT" offload feature for ER-X is also enabled, traffic to which HW NAT is applied is handled by the hardware directly and therefore Traffic Analysis/DPI cannot see such traffic.
    • Also, similar to the offload features for the older platforms, certain traffic is not eligible for offload, e.g., traffic that requires QoS policy cannot be offloaded.
    • This means that on the ER-X platform when both Traffic Analysis/DPI and HW NAT offload are enabled, it is possible for some traffic to be seen in Traffic Analysis/DPI but not others, e.g., traffic requiring QoS cannot be offloaded and therefore can be seen by Traffic Analysis/DPI.

 

Enhancements and bug fixes

 

  • [IPsec] Change implementation of "initiate" connection type as the original implementation does not work well with the newer version of strongSwan. More specifically, it now uses "auto=route" instead of "auto=start" (which is not recommended by strongSwan as it could be broken in cases). This has been reported by and discussed with community members including BranoB @chaicka @thrca @ropeguru @levicki @psydafke @OzPHB @matthardeman @steve_mcneill @robfoehl @whereisaaron @sbothelio @justMeh mhohman pokwer @fgp @netts @tais @gsloop @jms33 for example in these threads: 1 2 3 4.
  • [IPsec] Change the VTI interface handling logic so that the link up/down is no longer tied to the IPsec status. (Note that this is not the same as changing the script to not "down" the interface which was discussed previously, since that would still tie the link "up" to the IPsec status.) This has been discussed in forum threads here and here, with the same community members as above. Thanks everyone for testing and reporting the issues!
  • [IPsec] Make "ipsec-interfaces" setting deprecated (it is not actually used for the strongSwan config and also causes warning with the new version of strongSwan). Reported by OzPHB here.
  • [IPsec] Add validation for aggressive mode to disallow its use with PSK (since it is not allowed by strongSwan by default). Reported by and discussed with @HenryL @TriJetScud here.
  • [IPsec] Add validation for RSA authentication to disallow its use if peer is 0.0.0.0 (any).
  • [IPsec] Add more crypto options for ESP group configuration, including "aes128gcm128" and "aes256gcm128" for "encryption" and "sha256", "sha384", and "sha512" for "hash".
  • [IPsec] Fix packaging for strongSwan packages to include the "pki" tool. Reported by and discussed with @canope @nextgens here.
  • [IPsec] Change log level for IPsec offload log messages that are not useful in most cases. Reported by @fixinko here.
  • [Offload] Fix possible "download corruption" issue triggered by packet corruption that happened upstream (before reaching the router). There have been several reported cases over the years that were possibly caused by this issue for example from community members @AdamB @kkier @petecarlson @Cloudz @spiderben25 @bwann @tommie @heldchen (see here for more details). Recently community members @gryphius @Sebjepb kindly set up and provided their test environments and worked with UBNT-afomins who was then able to replicate/debug/fix the issue, so thanks very much gryphius Sebjepb for your help!
  • [DNS forwarding] Update the underlying dnsmasq software to the current version 2.75, now building/packaging it ourselves. The new version includes quite a few new features, which are not yet explicitly supported in the router configuration but can be used with the free-form "options" config setting for DNS forwarding for example. These have been requested by and discussed with community members including zx2c4 rolfl brianredbeard 6keazik7 mgorbach kikimora csch rkj for example in these threads: 1 2 3 4 5.
  • [System] Update iproute2 to version 4.4.0 for enhancements/fixes (e.g., ip6gre tunnel, possible fix for segfault, etc.), discussed with community members including RcRaCk2k britannic Bobby-B csch tommie NVX Corny matthardeman BranoB for example in these threads: 1 2 3 4 5 6.
  • [System] Change upgrade code to delete old version first if if there is not enough space for the upgrade operation. For CLI upgrade this will ask the user for confirmation, and it's automatic when doing upgrade through the Web UI. In particular, this is useful for the ER-X platform which has more limited storage and may often require it. (Of course the new upgrade code will only take effect at the next upgrade.) This has been discussed with community members including smccloud WisTech dragon2611 Bobby-B TriJetScud OzPHB avpavp psydafke startoff foxwolfe for example in these threads: 1 2 3 4 5.
  • [System] Only load MPLS forwarding module when MPLS-related features are configured. This avoids the performance overhead from the module when MPLS is not configured. Discussed with final dragon2611 Mrcheebs staze here and here.
  • [System] Update copyright date in Web UI and CLI. Reported by markg here.
  • [System] Adjust sudo logging level to avoid spamming syslog with successful messages at default syslog level. Reported by and discussed with spc337 Xand tvBilly NVX train_wreck snafu John1980 UserMax in these threads: 1 2 3 4 5 6.
  • [System] Apply appropriate permissions and cleanup to temporary file created by commit-revisions feature. Reported by and discussed with loafbread whowe82 dpurgert here.
  • [System] Fix long boot time in some cases when DNS server is not reachable, which may also cause other config issues. Reported by and discussed with tyr whowe82 magical DStahl Kegerrard here.
  • [System] Add support for new SSH key types for user public key and the "loadkey" command. Based on patch provided by jquagga here. Discussed with opencode ub40 jquagga kpfleming darco here and here.
  • [System] Fix local IP address check for IPv6 addresses. Patch contributed by tyeken8 here.
  • [System] Fix typo in the "vyatta-bridge.pl" script reported by karog here.
  • [Web UI] Update to PHP version 7 with the required cross-build changes and fixes, in part based on the notes contributed by rlerdorf (Rasmus Lerdorf!) here. Thanks!
  • [Web UI] Remove support for legacy browsers, and "native WebSocket" support is now required, for example the following browsers are supported:
    • Any recent versions of FireFox
    • Any recent versions of Chrome
    • IE 10 or higher
    • Edge
    • Safari 7 or higher
    Note that since the "legacy support" was using Flash to support WebSocket on older browsers, this means the Web UI is now 100% "Flash-free". Also this means the removal of the "vfpolicyd" daemon which was listening on port 843 to support the Flash fallback for WebSocket.
  • [Web UI] Add support for using only newer (stronger) ciphers for HTTPS. Note that older ciphers are required for wider browser compatibility, but if that is not a concern, they can be disabled by
    set service gui older-ciphers disable
    
    If older ciphers are disabled, the ones used are (based on Mozilla "Modern" recommendations):
    ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
    ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
    ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
    
    The change is based on discussions with community members including di3 MZorzy blackoutCH3 soehest atvirtual rickyloera jmw thermionic jquagga NVX here and here.
  • [Web UI] Add new config setting for the "HTTP port" of the Web server, for example:
    set service gui http-port 8080
    
    The HTTP port now also observe the configured "listen-address" as well (previously it always listens on all interfaces). This has been suggested by and discussed with community members including jfunk hyphenatic intrepid yatahaze kiyose dpurgert in these threads: 1 2 3 4.
  • [Web UI] Implement proper HTTP-to-HTTPS redirect in the case of non-default HTTP and HTTPS ports. Previously the code always used port 443 for HTTPS and therefore the redirect breaks if non-default HTTPS port is used. Reported for example by 16again here.
  • [Web UI] Add new config settings for Web server certificate files. For example, to specify a particular server certificate (including private key):
    set service gui cert-file /config/auth/server.pem
    
    To specify a "CA file" for chained certificates:
    set service gui ca-file /config/auth/ca.pem
    
    These have been discussed before for example with jtenniswood iampedro jjr aloishammer oxfrombws Luppie1975 secesh frinnst whereisaaron rMacbookPro Blooze OzPHB NVX o_cee darco for example in these threads: 1 2 3 4.
  • [Web UI] Fix sorting issue on the Traffic Analysis page for entries with "Tbytes" unit. Reported by mattlach here.
  • [Web UI] Add the "VPN Status" feature wizard contributed by orangevan meyergru here and here.
  • [Web UI] Add the "DNS host names" feature wizard contributed by bonienl here.
  • [Web UI] Add burst rate and burst size settings to Advanced Queue leaf node config
  • [Web UI] Fix issue with Traffic Analysis page caused by config changes under System.
  • [Web UI] Fix Smart Queue config issue where changes are not saved when Smart Queue is deleted. Reported by jacktooandroid here.
  • [Web UI] Fix issue where some dynamic IPv6 addresses are not displayed on the dashboard. Reported by train_wreck seacycle jbehrends here.
  • [Web UI] Use SHA256 when generating certificate for the Web server. Suggested by jquagga here.
  • [Web UI] Add support for more than two WAN interfaces in the load balancing wizard. Also change the wizard to allow more flexible selection for the WAN/LAN interfaces.
    lb-wiz.png
  • [Web UI] Fix IPv6 address handling when upper case characters are used in the config. Reported by darco here.
  • [Web UI] Fix validations for hostname in the DNS hostname wizard. Reported by dcplaya defiant here.
  • [Web UI] After login, ask user whether basic setup wizard is needed if the router is running with default config. Discussed with unclemac dpurgert here.
  • [Web UI] Fix help text typos reported by dynamicpbx here.
  • [Web UI] Enable "authoritative" setting for DHCP server config set up by the setup wizards. Discussed with ndfred whowe82 here.
  • [Web UI] Fix packaging issue for the "load balancing2" setup wizard for the ER-X platform. Reported by tomtorr here.
  • [Web UI] Fix counters display of switch ports for the ER-X platform. Reported by BHSAZ Solideco here and here.
  • [Web UI] Fix duplicate display of IPv6 address containing leading zeros. Reported by chaicka here.
  • [Web UI] Fix firewall rule number display when reordering rules but not saving.
  • [Web UI] Update validation for host name to be consistent with the CLI configuration. Reported by tanuki here.
  • [Web UI] Fix firewal rule validation for protocol. Reported by and discussed with lilo73 AdeptIT here.
  • [Web UI] Add support for TCP reject action for firewall rules
  • [Web UI] Change firewall rule reordering so that rule numbers are incremented by 10 (i.e., 10, 20, 30, ...) after reordering. Discussed with thrca BranoB fenrir chaicka o_cee here.
  • [Web UI] Fix branch node creation for Advanced Queue. Reported by acuschini here.
  • [Traffic Analysis] Improve handling of "external IPs" to reduce less useful entries occupying Traffic Analysis data (however this may not eliminate all cases of "external IP" entries). Such cases have been discussed with community members including Elefantito DStahl dison4linux jms33 dcplaya Armski final androme filiphw wkweksl cyleung phono Djursland01 biff reorxp dmoutal zsoltika007 orbitz agidi jonathan1 rotor warrentc3 for example in these threads: 1 2 3 4 5.
  • [Traffic Analysis/DPI] Improve handling of flow stats in some cases.
  • [DPI] Add built-in categories including "Web" as suggested by and discussed with skoenman bGuHsOtSeTr here.
  • [DPI] Add validation to disallow DPI application matching in firewall and advanced queue on platforms that do not support DPI yet.
  • [DPI] Fix firewall rule configuration when Instant-Messaging category is specified. Reported by rymarks here.
  • [DPI] Modify signature update script to only extract specific files. Suggested by m0sia.
  • [DPI] Add configuration for hour of day (local time) to check update for new DPI signatures, e.g.:
    set system traffic-analysis signature-update update-hour 3
    
    would check for updates between 3 AM and 4 AM. Or to disable signature update:
    set system traffic-analysis signature-update disable
    
  • [Interface] Enable Ethernet flow control (pause frames) auto-negotiation by default on all interfaces of all models (except the "combo" ports on the ER Pro). Note that it still requires auto-negotiation and so pause frames will only be used if the other side also supports and advertises pause frames. This has been discussed with community members including wtm eejimm tskstar mhoppes dpurgert skidmata RedLink_Juan kaiser ClaudeSS jjonsson PeterFalken mike99 mgthump2 BHSAZ for example in these threads: 1 2 3 4 5 6 7.
  • [Interface] Fix kernel setting for eth5 (SFP port) on the ER-X-SFP and EP-R6.
  • [Interface] Fix some auto-negotiation/speed issues for the SFP port on ER-X-SFP. Reported by and discussed with MLWALK3R o_cee jquagga ringnebula eejimm here and here.
  • [Interface] Fix interface route handling when interface has no address. Reported by and discussed with AVG-Don the_slain_man here.
  • [Interface] Disallow deleting physical interfaces to prevent issues with config out-of-sync with system. Reported by I_Support here.
  • [Interface] Fix timing issue with dynamic interface handling when a dynamic interface is created while a commit is ongoing. Reported by and discussed with jacotec TyShawn filipvdb alawadhi justinoleary911 Brailyn here and here.
  • [Interface] Add "proxy-arp-pvlan" setting for interfaces. Patch provided by Shorty_ and discussed with clegendre pshempel friction87 in these threads: 1 2 3.
  • [Interface] Add support for setting MAC address on VLAN interface. Discussed with NVX fLoo rjh2805 sorvani hjkoster400d abu_cwarky dremon ub40 in these threads: 1 2 3.
  • [BGP] Fix attribute flag validation to handle extended length correctly. Reported by and discussed with gallysoft TheCiscoGuy psych0l michaeldale Piniongear jgeiger-itvocal lasseoe DStahl here and here.
  • [BGP] Fix "as-path-prepend" config with single AS specified. Reported by pepemp here.
  • [BGP] Fix possible memory corruption that was causing the routing daemon to crash in some cases. Reported by michaeldale who also helped run a debug build and provide detailed information which made the fix possible (see here). Thanks!
  • [BGP] Lower log level for "Withdraw: Can't find route" messages that are not normally useful. Reported by and discussed with diorges wsftech janegil ehsab here.
  • [BGP] Fix handling of confederation ID and peer to allow extended ASN. Reported by Nexxcom-Jerome here.
  • [BGP] Remove deprecated config setting including disable-network-import-check. Reported by michaeldale here.
  • [BGP] Add "show bgp l2vpn" commands for VPLS/BGP status:
    show bgp l2vpn
    show bgp l2vpn detail
    
  • [BGP] Fix handling of nexthop interface flapping to ensure BGP route getting inserted into kernel table. Reported by and discussed with robfoehl matthardeman dragon2611 here.
  • [BGP] Fix BGP route-map community config to allow community value 0. Reported by and discussed with matthardeman NVX here.
  • [BGP] Fix "bestpath as-path confed" configuration setting. Reported by l3 here.
  • [BGP] Fix BGP daemon crashing due to issue with parsing extended community message. Reported by RcRaCk2k here.
  • [BGP] Fix configuration ordering and other issues related to "update-source" setting. Reported by NVX here and here.
  • [BGP] Fix BGP daemon crashing due to issue with parsing graceful-restart capabilities. Reported by jk-5 here.
  • [Routing] Fix incorrect recursive route handling causing ribd to use 100% CPU. Reported by and discussed with pokwer nickwhite matthardeman here and here.
  • [Routing] Fix "martian" address detection in routing code. Reported by and discussed with sxpert fLoo BranoB wdeman tomhiggins here.
  • [RIP] Fix MD5 authentication config. Reported by ehren8879 here.
  • [SNMP] Fix SNMP support for routing protocol daemons. Reported by kiall here.
  • [SNMP] Improve error message for listen-address configuration with IPv6 link-local address but no interface.
  • [SNMP] Fix possible SNMP startup issue with SNMPv3 configuration. Reported by dragon2611 matthardeman here.
  • [Advanced Queue] Allow "ip", "ether", "mark", and "application" match criteria to be specified in the same filter to provide more flexibility.
  • [Smart Queue] Fix config issues and add validations to prevent invalid config (e.g., neither upload nor download is configured). Reported by iCrOn TNTBrian here.
  • [PPPoE client] Fix interface rename when IPv6 is configured on the PPPoE interface. Reported by and discussed with tseeley here.
  • [QoS] Remove the "set-dscp" setting from traffic-policy as it does not work "correctly" and causes issues. In most cases, setting DSCP can already be done using "firewall modify" rules instead (which also allows more flexible matching criteria etc.). Discussed with esseph waheuler spencerryan in these threads: 1 2 3.
  • [Dynamic DNS] Add No-IP service as an explicit option for DDNS configuration both in CLI and Web UI. Discussed with ikus060 nedaros bradynapier elgo iampedro brandonrussell Kai2high ryan3531 valentinerich -jw h2oskr bledd for example in these threads: 1 2 3 4.
  • [L2TP/IPsec] Update config validation so that it no longer requires deprecated IPsec settings (interface and NAT traversal settings). Reported by rotor here.
  • [PPTP server] Fix typo in config help text. Reported by Gravitydrive here.
  • [MPLS] Change "propagate-ttl" to disabled by default, which is consistent with the default config. Note that this only partially fixes the issue reported by markqvist here. More specifically, enabling "propagate-ttl" still has no effect and we will need to fix that.
  • [OSPFv3] Reorganize OSPFv3 config settings by moving most settings under "parameters" up one level (to be more consistent with original OSPF config structure).
  • [OSPFv3] Fix "passive-interface default" setting and add "passive-interface-exclude" setting. Reported by and discussed with NVX here.
  • [IGMP proxy] Apply patch for IGMPv3 support. Suggested by and discussed with jakbeatz BranoB dremon jjr kdk here and here.
  • [Kernel] Enable CONFIG_XFRM_STATISTICS in kernel config to provide more stats/information for IPsec troubleshooting. Suggested by and discussed with fgp agsqwe 6keazik7 here.
  • [CLI] Fix SNMP config to eliminate Perl error when configuring SNMPv3 without privacy.
  • [CLI] Fix help text for SNMP "listen-address" and "network" to make it clear IPv6 address/network is supported. Reported by jocke here.
  • [CLI] Fix handling of user password starting with the '-' character. Reported by Vincent_ts here.
  • [CLI] Remove obsolete "show disk" commands reported by o_cee here.
  • [Firewall] Fix issue with time-based firewall rule using incorrect time after daylight saving time change. This has been discussed with stegzter Grahambo esseph sblees Tranx ChinookTx pmatuszy mnabeel ifehertoi wkweksl muniak rhamblen32 DarkskyZ Advocate99 wtm ambroselittle michaeln416 cherwilco in these threads: 1 2 3.

Fixes/changes for issues found/reported during alpha/beta testing:

 

  • [Offload] Fixes for the "HW NAT" offload feature on ER-X platform (including ER-X, ER-X-SFP, and EP-R6):
    • Fix "hwnat" configuration for "non-root" user on ER-X platform. Reported by dragon2611 here.
    • Fix the issue where offload does not work if ISC DHCP server (and possibly other software) is running
    • Fix certain corner cases when offload is in effect that could cause the switch to stop functioning
    These fixes/enhancements should address the issues in v1.8.5alpha1 reported by and discussed with o_cee bjck dragon2611 di3 BranoB WisTech fenrir redfive mojne jacktooandroid matthardeman in these threads: 1 2 3.
  • [Offload] Fix switch issue on ER-X platform where the switch stops working when encountering certain IPTV traffic with "HW NAT offload" enabled. Reported by and discussed with jacktooandroid matthardeman bjck here.
  • [Offload] Fix packet counters for ethX interfaces when HW NAT offload is enabled on ER-X platform.
  • [Offload] Fix IPv6 HWNAT offload on ER-X platform when IPv6 firewall rules are configured. Reported by and discussed with bjck here.
  • [IPsec] Fix "restart vpn" command which was checking deprecated config settings.
  • [DNS forwarding] Fix dnsmasq crash issue reported by fromport here.
  • [Web UI] Change default for "older-ciphers" to "enable". This allows users with older browsers to continue accessing the Web UI after upgrade. It can be set to disable if browser compatibility is not a concern.
  • [Web UI] Fix switched ports not being displayed in the switch0 config dialog. Reported by and discussed with WisTech fenrir BranoB here.
  • [Routing] Change routing daemons to only connect to SNMP daemon if it is running. This elimintates the repeated (failed) connection attempts reported by and discussed with bjck here.
  • [SNMP] Fix additional issue for SNMP support in routing daemons. Reported by kiall NVX here.
  • [SNMP] Fix SNMP "refused smux peer" issue introduced by the SNMP support for routing daemons that was causing excessive logging. Reported by and discussed with drac Armski chaicka kr in these threads: 1 2 3 4.
  • [Switch] Fix untagged packet handling issue on the ER-X platform introduced in beta1 that affects certain setups. Reported by and discussed with WisTech dragon2611 BranoB lancer73 chaicka ClaudeSS fenrir cryogenic ConnorM jacktooandroid bledd arielbarriga ESYTA_NETWORKS flipper in these threads: 1 2 3 4 5.

 

Updated software components

 

  • Update bind9 to 1:9.8.4.dfsg.P1-6+nmu2+deb7u10: Fix CVE-2016-1285, CVE-2016-1286
  • Update libssh2 to 1.4.2-1.1+deb7u2: Fix CVE-2016-0787
  • Update openssl to 1.0.1e-2+deb7u21: Fix CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0702, CVE-2016-0705 CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109
  • Update openssh to 6.6p1-4~bpo70+1 (from wheezy-backports). Suggested by jquagga opencode here and here.
  • Update perl to 5.14.2-21+deb7u3: Fix CVE-2016-2381
  • Update squid3 to 3.4.8-6+deb8u2~bpo70+1: Fix CVE-2016-2571
  • Update PHP to 7.0.7: Fix CVE-2015-8865, CVE-2016-4070, CVE-2016-4071, CVE-2016-4072, CVE-2016-4073, CVE-2016-4537, CVE-2016-4538, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544, CVE-2016-3074, CVE-2016-4540, CVE-2016-4541, CVE-2016-4539, CVE-2016-3078, CVE-2013-7456, CVE-2016-5093
  • Update mactelnet to 0.4.0-1 to fix segfault/crash reported by cserf here.
  • Update base-files to 7.1wheezy10 (sync to Debian 7.10)
  • Update tzdata to 2016c-0+deb7u1 (sync to Debian 7.10)
  • Update libidn to 1.25-2+deb7u1: Fix CVE-2015-2059
  • Update eglibc to 2.13-38+deb7u11: Fix CVE-2016-1234, CVE-2016-3075, CVE-2016-3706
  • Update expat to 2.1.0-1+deb7u4: Fix CVE-2016-0718, CVE-2016-0719, CVE-2012-6702, CVE-2016-5300
  • Update libxml2 to 2.8.0+dfsg1-7+wheezy6: Fix CVE-2016-1762, CVE-2016-1834, CVE-2016-3705, CVE-2016-4483, CVE-2016-1840, CVE-2016-1838, CVE-2016-1839, CVE-2015-8806, CVE-2016-2073, CVE-2016-4449, CVE-2016-1837, CVE-2016-1835, CVE-2016-4447, CVE-2016-1833, CVE-2016-3627
  • Update libtasn1-3 to 2.13-2+deb7u3: Fix CVE-2016-4008