Merge branch 'stage' into rachel-stage

content/cumulus-linux-50/Whats-New/rn.md

@@ -22,7 +22,6 @@ pdfhidden: True
 | <a name="3585467"></a> [3585467](#3585467) <a name="3585467"></a> <br /> | NVUE and <code>ip link</code> show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.10.1|
 | <a name="3560622"></a> [3560622](#3560622) <a name="3560622"></a> <br /> | When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0-5.10.1|
 | <a name="3554231"></a> [3554231](#3554231) <a name="3554231"></a> <br /> | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009<br />Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')<br />For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.10.1 | 4.3.2-4.4.5|
-| <a name="3491259"></a> [3491259](#3491259) <a name="3491259"></a> <br /> | When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the <code>attr memory</code> (which is already inserted in the attribute hash) might change. As a result, the modified <code>attr memory</code> might match with another <code>attr</code> in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate <code>attr</code> structures.  | 5.0.0-5.5.1 | 5.6.0-5.10.1|
 | <a name="3488136"></a> [3488136](#3488136) <a name="3488136"></a> <br /> | When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the <code>nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in</code> command. | 4.2.1-5.5.1 | 5.6.0-5.10.1|
 | <a name="3474391"></a> [3474391](#3474391) <a name="3474391"></a> <br /> | The SNMP MIB definition file <code>/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt</code> does not  define the INDEX of the <code>bgpPeerEntry</code> correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.10.1|
 | <a name="3445841"></a> [3445841](#3445841) <a name="3445841"></a> <br /> | FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (<code>es-sys-mac</code>) is only compatible with a 3-byte Ethernet segment ID (<code>es-id</code>) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (<code>es-sys-mac</code> plus a 3-byte <code>es-id</code>). | 5.0.0-5.6.0 | 5.7.0-5.10.1|
@@ -168,7 +167,6 @@ pdfhidden: True
 | <a name="3585467"></a> [3585467](#3585467) <a name="3585467"></a> <br /> | NVUE and <code>ip link</code> show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.10.1|
 | <a name="3560622"></a> [3560622](#3560622) <a name="3560622"></a> <br /> | When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0-5.10.1|
 | <a name="3554231"></a> [3554231](#3554231) <a name="3554231"></a> <br /> | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009<br />Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')<br />For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.10.1 | 4.3.2-4.4.5|
-| <a name="3491259"></a> [3491259](#3491259) <a name="3491259"></a> <br /> | When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the <code>attr memory</code> (which is already inserted in the attribute hash) might change. As a result, the modified <code>attr memory</code> might match with another <code>attr</code> in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate <code>attr</code> structures.  | 5.0.0-5.5.1 | 5.6.0-5.10.1|
 | <a name="3488136"></a> [3488136](#3488136) <a name="3488136"></a> <br /> | When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the <code>nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in</code> command. | 4.2.1-5.5.1 | 5.6.0-5.10.1|
 | <a name="3474391"></a> [3474391](#3474391) <a name="3474391"></a> <br /> | The SNMP MIB definition file <code>/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt</code> does not  define the INDEX of the <code>bgpPeerEntry</code> correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.10.1|
 | <a name="3445841"></a> [3445841](#3445841) <a name="3445841"></a> <br /> | FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (<code>es-sys-mac</code>) is only compatible with a 3-byte Ethernet segment ID (<code>es-id</code>) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (<code>es-sys-mac</code> plus a 3-byte <code>es-id</code>). | 5.0.0-5.6.0 | 5.7.0-5.10.1|

content/cumulus-linux-50/rn.xml

@@ -70,12 +70,6 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn
 <td>4.3.2-4.4.5</td>
 </tr>
 <tr>
-<td>3491259</td>
-<td>When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the {{attr memory}} (which is already inserted in the attribute hash) might change. As a result, the modified {{attr memory}} might match with another {{attr}} in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate {{attr}} structures. </td>
-<td>5.0.0-5.5.1</td>
-<td>5.6.0-5.10.1</td>
-</tr>
-<tr>
 <td>3488136</td>
 <td>When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf &lt;vrf&gt; router bgp neighbor &lt;neighbor&gt; address-family &lt;address-family&gt; in}} command.</td>
 <td>4.2.1-5.5.1</td>
@@ -1030,12 +1024,6 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn
 <td>4.3.2-4.4.5</td>
 </tr>
 <tr>
-<td>3491259</td>
-<td>When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the {{attr memory}} (which is already inserted in the attribute hash) might change. As a result, the modified {{attr memory}} might match with another {{attr}} in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate {{attr}} structures. </td>
-<td>5.0.0-5.5.1</td>
-<td>5.6.0-5.10.1</td>
-</tr>
-<tr>
 <td>3488136</td>
 <td>When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf &lt;vrf&gt; router bgp neighbor &lt;neighbor&gt; address-family &lt;address-family&gt; in}} command.</td>
 <td>4.2.1-5.5.1</td>