「1.1.0/リリースノート」の版間の差分

提供: VyOS jp
移動: 案内検索
 
(2人の利用者による、間の32版が非表示)
1行: 1行:
== Overview ==
+
== 概要 ==
  
1.1.0 release ("helium" branch) is the feature expansion release following 1.0.x series.
+
1.1.0 リリース ("helium" ブランチ) は、 1.0.x から機能を追加したリリースです。
  
== New features ==
+
== 新機能 ==
  
 
* [[L2TPv3]]
 
* [[L2TPv3]]
11行: 11行:
 
* [[IGMP proxy]]
 
* [[IGMP proxy]]
  
Experimental features:
+
実験的な機能:
 +
 
 
* [[DMVPN]]
 
* [[DMVPN]]
 
* [[VXLAN]]
 
* [[VXLAN]]
  
New pipes:
+
新しいパイプ:
  
'''| strip-private ''' — removes private information from the conf mode "show" output.
+
'''| strip-private ''' — コンフィグモードの "show" コマンドの出力からプライベートな情報を除外します。
 
<pre>
 
<pre>
 
# show system login | strip-private  
 
# show system login | strip-private  
28行: 29行:
 
</pre>
 
</pre>
  
'''| commands ''' — converts conf mode "show" output to set commands.
+
'''| commands ''' — コンフィグモードの "show" コマンドの出力をコマンド形式に変換します。
 
<pre>
 
<pre>
 
# show interfaces tunnel | commands  
 
# show interfaces tunnel | commands  
36行: 37行:
 
</pre>
 
</pre>
  
== Upgrade notes ==
+
== アップグレードについて ==
  
Both legacy VC systems and VyOS 1.0.x systems can be upgraded with "add system image", no special actions needed.
+
Vyatta Core と VyOS 1.0.x は、 "add system image" により、アップグレード可能です。特別な手順はありません。
  
== CLI changes ==
+
== CLI の変更 ==
  
=== Configuration mode ===
+
=== コンフィグモード ===
  
Changes to already existing features:
+
既存機能に対する変更点:
  
 
{| class="wikitable"
 
{| class="wikitable"
 
  |-
 
  |-
  ! Command
+
  ! コマンド
  ! Status
+
  ! ステータス
  ! Comment
+
  ! コメント
 
  |-
 
  |-
 
  | set interfaces ethernet ethX pppoe X disable
 
  | set interfaces ethernet ethX pppoe X disable
  | Added
+
  | 追加
  | Administratively disables a PPPoE session
+
  | PPPoE のセッションを無効にする。
 
  |-
 
  |-
 
  | set interfaces ethernet eth0 pppoe 0 default-route <auto none force>
 
  | set interfaces ethernet eth0 pppoe 0 default-route <auto none force>
  | Modified
+
  | 修正
  | Allows "force" option to force default route via PPPoE session
+
  | 強制的に PPPoE のセッションをデフォルトルートにする、 "force" オプションを追加。
 
  |-
 
  |-
 
  | set vpn pptp remote-access authentication require <chap pap mschap mschap-v2>
 
  | set vpn pptp remote-access authentication require <chap pap mschap mschap-v2>
  | Added
+
  | 追加
  | Require specific authentication protocol
+
  | 特定の認証プロトコルを必須にする。
 
  |-
 
  |-
 
  | set interfaces openvpn vtunX server reject-unconfigured-clients
 
  | set interfaces openvpn vtunX server reject-unconfigured-clients
  | Added
+
  | 追加
  | Rejects clients that are not configured under "server client" (OpenVPN --ccd-exclusive option)
+
  | "server client" 配下に設定されていないクライアントを拒否する。(OpenVPN --ccd-exclusive オプション)
 
  |-
 
  |-
 
  | set interfaces openvpn <name> persistent-tunnel
 
  | set interfaces openvpn <name> persistent-tunnel
  | Added
+
  | 追加
  | --persist-run OpenVPN option
+
  | OpenVPN の --persist-run オプション。
 
  |-
 
  |-
 
  | set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip disable-arp-filter
 
  | set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip disable-arp-filter
  | Added
+
  | 追加
  | Disables ARP filter on an interface
+
  | インターフェースの arp-filter を無効にする。
 
  |-
 
  |-
 
  | set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-accept
 
  | set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-accept
  | Added
+
  | 追加
  | Enables arp-accept on this interface
+
  | インターフェースの arp-accept を有効にする。
 
  |-
 
  |-
 
  | set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-announce
 
  | set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-announce
  | Added
+
  | 追加
  | Enables arp-announce on this interface
+
  | インターフェースの arp-announce を有効にする。
 
  |-
 
  |-
 
  | set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-ignore
 
  | set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-ignore
  | Added
+
  | 追加
  | Enables arp-ignore on this interface
+
  | インターフェースの arp-ignore を有効にする。
 
  |-
 
  |-
 
  | set system options ctrl-alt-del-action <ignore reboot poweroff>
 
  | set system options ctrl-alt-del-action <ignore reboot poweroff>
  | Added
+
  | 追加
  | Changes actions the system performs on Ctrl-Alt-Del (default is ignore)
+
  | Ctrl-Alt-Del の挙動を変更する。(デフォルトは ignore)
 
  |-
 
  |-
 
  | set firewall twa-hazards-protection <enable disable>
 
  | set firewall twa-hazards-protection <enable disable>
  | Added
+
  | 追加
  | Enables or disables RFC1337 TIME-WAIT assasination hazards protection
+
  | RFC1337 TIME-WAIT assasination hazards の防御を有効、または無効にする。
 
  |-
 
  |-
 
  | set interfaces <type> <name> ip source-validation <disable loose strict>
 
  | set interfaces <type> <name> ip source-validation <disable loose strict>
  | Added
+
  | 追加
  | Sets source validation policy for specified interface
+
  | インターフェースのソースバリデーションの設定。
 
  |-
 
  |-
 
  | set interfaces ethernet ethX ipv6 router-advert name-server <ipv6 address>
 
  | set interfaces ethernet ethX ipv6 router-advert name-server <ipv6 address>
  | Added
+
  | 追加
  | Sets RFC6106 name server to advertise in RA
+
  | RAで広報するため、 RFC6106 のネームサーバを設定する。
 
  |-
 
  |-
 
  | set protocols rip passive-interface <interface-name or "default">
 
  | set protocols rip passive-interface <interface-name or "default">
  | Modified
+
  | 修正
  | "default" option is now available
+
  | "default" オプションを追加。
 
  |-
 
  |-
 
  | set system syslog host <host> facility <facility> protocol (tcp udp)
 
  | set system syslog host <host> facility <facility> protocol (tcp udp)
  | Added
+
  | 追加
  | Sets remote syslog protocol to TCP or UDP
+
  | リモートの syslog のプロトコルを TCP または、 UDP に設定する。
 
  |-
 
  |-
 
  | set service snmp smux-peer <oid>
 
  | set service snmp smux-peer <oid>
  | Added
+
  | 追加
  | Sets SMUX peer OID
+
  | SMUX peer OID を設定。
 
  |-
 
  |-
 
  | set vpn ipsec ike-group <group> proposal <proposal> dh-group <2 5 14-26>
 
  | set vpn ipsec ike-group <group> proposal <proposal> dh-group <2 5 14-26>
  | Modified
+
  | 修正
  | DH groups 14 to 26 can be set now, apart from 2 and 5
+
  | dh-group に 2、 5 に加えて、 14 から 26 を設定可能にした。
 
  |-
 
  |-
 
  | set vpn ipsec <ike-group esp-group> proposal <proposal> hash <md5 sha1 sha256 sha384 sha512>
 
  | set vpn ipsec <ike-group esp-group> proposal <proposal> hash <md5 sha1 sha256 sha384 sha512>
  | Modified
+
  | 修正
  | Accepts SHA2 sums now, apart from MD5 and SHA1
+
  | SHA2 を追加。
 
  |-
 
  |-
 
  | set vpn ipsec ike-group <group> key-exchange <ikev1 ikev2>
 
  | set vpn ipsec ike-group <group> key-exchange <ikev1 ikev2>
  | Added
+
  | 追加
  | Sets key exchange protocol version. Default is IKEv2.
+
  | 鍵交換プロトコルのバージョンに IKEv2 を追加し、デフォルトを IKEv2 にした。
 
  |-  
 
  |-  
 
  | set vpn ipsec ike-group <group> mobike <enable disable>
 
  | set vpn ipsec ike-group <group> mobike <enable disable>
  | Added
+
  | 追加
  | Enables or disables MOBIKE. For IKEv1, default is disable; for IKEv2, default is enable.
+
  | MOBIKE を有効、または無効にする。IKEv1 での、デフォルトは無効、 IKEv2でのデフォルトは有効。
 
  |-
 
  |-
 
  | set service ssh ciphers <ciphers list>
 
  | set service ssh ciphers <ciphers list>
  | Added
+
  | 追加
  | Restricts SSH to ciphers from the list
+
  | リストを元に SSH の暗号方式を制限する。
 
  |-
 
  |-
 
  | set interfaces ... ip proxy-arp-pvlan
 
  | set interfaces ... ip proxy-arp-pvlan
  | Added
+
  | 追加
  | Enable private VLAN proxy ARP for the interface
+
  | インターフェースのプライベート VLAN のプロキシ ARP を有効にする。
 
  |-
 
  |-
 
  |}
 
  |}
  
=== Operational mode ===
+
=== オペレーションモード ===
  
 
{| class="wikitable"
 
{| class="wikitable"
 
  |-
 
  |-
  ! Command
+
  ! コマンド
  ! Status
+
  ! ステータス
  ! Comment
+
  ! コメント
 
  |-
 
  |-
 
  | restart webproxy clear-cache
 
  | restart webproxy clear-cache
  | Added
+
  | 追加
  | Clears webproxy cache and restarts the process (it's not possible to clear cache without restart)
+
  | webproxy のキャッシュをクリアし、プロセスを再起動する。 (再起動なしにキャッシュをクリアすることはできない。)
 
  |-
 
  |-
 
  | force arp reply interface <interface name> address <MAC address>
 
  | force arp reply interface <interface name> address <MAC address>
  | Added
+
  | 追加
  | Sends gratuitous ARP reply for specific address
+
  | Gratuitous ARP 応答を特定のアドレスに送信する。
 
  |-
 
  |-
 
  | force arp request interface <interface name> address <MAC address>
 
  | force arp request interface <interface name> address <MAC address>
  | Added
+
  | 追加
  | Sends gratuitous ARP request for specific address
+
  | Gratuitous ARP 要求を特定のアドレスに送信する。
 
  |-
 
  |-
 
  | show system memory cache
 
  | show system memory cache
  | Fixed
+
  | 修正
  | Shows kernel cache information
+
  | カーネルキャッシュの情報を表示する。
 
  |-
 
  |-
 
  | show ip route cache
 
  | show ip route cache
  | Deprecated
+
  | 非推奨
  | Returns nothing now, as route cache was removed from the kernel
+
  | カーネルからルートキャッシュがなくなったため、何も返さない。
 
  |-
 
  |-
 
  |}
 
  |}
  
== Behaviour changes ==
+
== 挙動の変更 ==
  
 
{| class="wikitable"
 
{| class="wikitable"
 
  |-
 
  |-
  ! Command/action/component
+
  ! コマンド/アクション/コンポーネント
  ! Change
+
  ! 変更内容
  ! Old behaviour
+
  ! 以前の挙動
  ! Motivation
+
  ! 変更理由
 
  |-
 
  |-
 
  | run generate openvpn key <file>
 
  | run generate openvpn key <file>
  | Places the key file in /config/auth unless a full path is specified
+
  | フルパスを指定しない限り、 /config/auth に鍵ファイルを配置する。
  | Used to place it in current user home dir
+
  | カレントユーザのホームディレクトリに配置。
  | Ease of use, persistence through upgrades
+
  | 使いやすさのため、アップグレード時の永続性のため。
 
  |-
 
  |-
 
  | DHCPv6 server
 
  | DHCPv6 server
  | DHCPv6 server leases are now stored in /config
+
  | DHCPv6 サーバのリースファイルを /config 配下に配置。
  | Used to store it in /var/lib
+
  | /var/lib 配下に配置。
  | Persistence through upgrades
+
  | アップグレード時の永続性のため。
 
  |-
 
  |-
 
  | Firewall groups
 
  | Firewall groups
  | Firewall port-groups and address-groups now use native IPset range feature
+
  | ファイアウォールの port-groups address-groups で、ネイティブな IPset range の機能を使用。
  | Used to call IPset repeatedly for each member
+
  | それぞれのメンバ毎に繰り返し IPset を呼び出し。
  | Performance
+
  | パフォーマンス向上のため。
 
  |-
 
  |-
 
  | Wireless
 
  | Wireless
  | First offered cipher is now CCMP
+
  | 最初に提案する暗号方式を CCMP に変更。
  | Used to offer TKIP and then CCMP
+
  | TKIP を提案した後、 CCMP を提案。
  | Some broken clients use the first offered cipher
+
  | いくつかのクライアントでは、最初に提案した暗号方式を使用するため。
 
  |-
 
  |-
 
  |}
 
  |}
  
== Resolved issues ==
+
== 解決済の問題 ==
  
 
{| class="wikitable"
 
{| class="wikitable"
 
  |-
 
  |-
  ! Bug ID
+
  ! バグID
  ! Severity
+
  ! 重要度
  ! Title
+
  ! タイトル
  ! Contributor
+
  ! コントリビュータ
 
  |-
 
  |-
 
  | {{bug|2}}
 
  | {{bug|2}}
709行: 710行:
 
  |}
 
  |}
  
== Development environment changes ==
+
== 開発環境の変更 ==
  
 
* Added "tools/setup-vyos-build-env" script that automatically setups basic ISO build dependencies.
 
* Added "tools/setup-vyos-build-env" script that automatically setups basic ISO build dependencies.
 +
 +
= メンテナンスリリース =
 +
 +
== 1.1.1 ==
 +
 +
リリース日: 2014/12/8
 +
 +
ダウンロード: [http://packages.vyos.net/iso/release/1.1.1/ http://packages.vyos.net/iso/release/1.1.1/]
 +
 +
=== セキュリティ ===
 +
 +
解決したセキュリティの問題:
 +
* [https://security-tracker.debian.org/tracker/CVE-2014-3158 CVE-2014-3158 (ppp potential local privilege escalation)]
 +
 +
=== 既知の問題 / ワークアラウンド ===
 +
 +
Due to an issue with the OpenSSL package used for Helium, the 64-bit image released for 1.1.0 caused segmentation faults when using SSH on this platform.  This
 +
is due to a failure of the SSH host key creation process on this platform.  The 1.1.1 release contains a downgraded version of the OpenSSL package, correcting this
 +
issue, while this is investigated ({{bug|345}})
 +
 +
=== 解決した問題 ===
 +
 +
{| class="wikitable"
 +
|-
 +
! バグID
 +
! 重要度
 +
! タイトル
 +
! コントリビュータ
 +
|-
 +
| {{bug|147}}
 +
| Enhancement
 +
| Please implement BCP38 (Reverse Path Filtering
 +
| Ubiquiti Networks (Stig Thormodsrud), Ryan Riske
 +
|-
 +
| {{bug|191}}
 +
| Minor
 +
| ipv6 BGP Clear via soft in/out
 +
| agusr
 +
|-
 +
| {{bug|312}}
 +
| Minor
 +
| OpenVPN CLI allows remote and local address to be the same
 +
| Daniil Baturin
 +
|-
 +
| {{bug|334}}
 +
| Minor
 +
| DHCP sends incorrect hostname to client when use-host-decl-names is on
 +
| Alex Harpin
 +
|-
 +
| {{bug|336}}
 +
| Major
 +
| Login block deleted on reboot when user does not have password
 +
| Alex Harpin
 +
|-
 +
| {{bug|340}}
 +
| Minor
 +
| configuration backup command doesn't work
 +
| Alex Harpin
 +
|-
 +
| {{bug|342}}
 +
| Minor
 +
| Password reset only works for the "vyos" user
 +
| Alex Harpin
 +
|-
 +
| {{bug|350}}
 +
| Major
 +
| LDAP Auth through Vyos
 +
| Daniil Baturin
 +
|-
 +
| {{bug|351}}
 +
| Major
 +
| there is mistake into squid.conf
 +
| Daniil Baturin
 +
|-
 +
| {{bug|354}}
 +
| Major
 +
| PPTP doesn't work when required authentication protocol is not specified
 +
| Daniil Baturin
 +
|-
 +
| {{bug|355}}
 +
| Enchancement
 +
| vyatta-cfg-system: set default vyos password hash to sha-512 when reset
 +
| Alex Harpin
 +
|-
 +
| {{bug|364}}
 +
| Minor
 +
| ppp potential local privilege escalation CVE-2014-3158
 +
| Toni Cunyat
 +
|-
 +
| {{bug|381}}
 +
| Major
 +
| VxLAN's "link" option does not work
 +
| Hiroshi Umehara
 +
|-
 +
|}
 +
 +
== 1.1.2 ==
 +
 +
Release date: 2015 January 22
 +
 +
=== セキュリティ ===
 +
 +
Several vulnerabilities in NTP have been fixed: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295.
 +
 +
=== 互換性についての注意 ===
 +
 +
Before the fix for {{bug|415}} the system allowed using "authentication remote-id" option for peers with "@something names"
 +
but didn't use it in any way; it used to be undefined and undocumented behaviour. Now remote-id option overrides the peer name id
 +
in this case. If you left it configured by mistake in a "@something" peer, remove it.
 +
 +
=== 解決した問題 ===
 +
 +
{| class="wikitable"
 +
|-
 +
! バグID
 +
! 重要度
 +
! タイトル
 +
! コントリビュータ
 +
|-
 +
| {{bug|345}}
 +
| Major
 +
| SSH command returns "Segmentation fault"
 +
| Debian team, Hiroyuki Sato, Alex Harpin
 +
|-
 +
| {{bug|348}}
 +
| Minor
 +
| Pre-shared key regex is too restrictive
 +
| Daniil Baturin
 +
|-
 +
| {{bug|350}}
 +
| Major
 +
| Squidguard is built without LDAP support
 +
| Igor Golubkov, Alex Harpin
 +
|-
 +
| {{bug|358}}
 +
| Major
 +
| Can't reach other side of VTI IPsec tunnel but can see packets on VTI interface
 +
| Alex Harpin
 +
|-
 +
| {{bug|388}}
 +
| Major
 +
| IKEv2 SA's are not shown in "show vpn ipsec sa"
 +
| Jason Hendry
 +
|-
 +
| {{bug|395}}
 +
| Major
 +
| IKEv2 Strongswan Re-Authentication Bug
 +
| Jason Hendry
 +
|-
 +
| {{bug|396}}
 +
| Minor
 +
| Fix "show vpn ike sa" when reauth=no
 +
| Jason Hendry
 +
|-
 +
| {{bug|398}}
 +
| Minor
 +
| "show vpn ipsec sa" does not show left/right subnets with IKEv2
 +
| Jason Hendry
 +
|-
 +
| {{bug|403}}
 +
| Major
 +
| Multiple users changing the running config may cause config subsystem internal errors
 +
| Alex Harpin
 +
|-
 +
| {{bug|405}}
 +
| Major
 +
| VTI Routing broken over ipsec
 +
| Alex Harpin
 +
|-
 +
| {{bug|411}}
 +
| Minor
 +
| Loading SSH key with spaces in comment fails
 +
| Jared Baldridge
 +
|-
 +
| {{bug|414}}
 +
| Minor
 +
| Site-to-site IPsec config script doesn't quote local id properly
 +
| Daniil Baturin
 +
|-
 +
| {{bug|415}}
 +
| Minor
 +
| remote-id option doesn't override rightid for peers with @id names
 +
| Daniil Baturin
 +
|-
 +
| {{bug|418}}
 +
| Major
 +
| ntp: import RedHat patch to fix CVE-2014-9293
 +
| RedHat
 +
|-
 +
| {{bug|419}}
 +
| Minor
 +
| ntp: import RedHat patch to fix CVE-2014-9294
 +
| RedHat
 +
|-
 +
| {{bug|420}}
 +
| Major
 +
| ntp: import RedHat patch to fix CVE-2014-9295
 +
| RedHat
 +
|-
 +
| {{bug|421}}
 +
| Minor
 +
| ntp: import RedHat patch to fix CVE-2014-9296
 +
| RedHat
 +
|-
 +
| {{bug|431}}
 +
| Minor
 +
| IKEv2 SA Information Sometimes Fails
 +
| Jason Hendry
 +
|-
 +
| {{bug|438}}
 +
| Minor
 +
| show host domain replies (none)
 +
| Alex Harpin
 +
|-
 +
| {{bug|451}}
 +
| Trivial
 +
| Update pre-shared secret key help for single quotes
 +
| Alex Harpin
 +
|-
 +
|}
 +
 +
== 1.1.3 ==
 +
 +
Release date: 2015 January 28
 +
 +
=== セキュリティ ===
 +
 +
解決したセキュリティの問題:
 +
 +
* [https://security-tracker.debian.org/tracker/CVE-2015-0235 CVE-2015-0235 (GHOST)]
 +
 +
== 1.1.4 ==
 +
 +
Release date: 2015 March 09
 +
 +
=== セキュリティ ===
 +
 +
解決したセキュリティの問題:
 +
 +
* [https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b CVE-2014-8104 (Authenticated client can crash OpenVPN]
 +
* {{bug|498}} (Operator level users are allowed to execute remote commands via SSH)
 +
 +
=== 互換性についての注意点 ===
 +
 +
オペレーションモードのコマンド "show shutdown" は "show poweroff" に変更されました。
 +
 +
=== 解決した問題 ===
 +
 +
{| class="wikitable"
 +
|-
 +
! バグID
 +
! 重要度
 +
! タイトル
 +
! コントリビュータ
 +
|-
 +
| {{bug|35}}
 +
| Minor
 +
| Unable to configure webproxy listen-address when it's associated with an OpenVPN tunnel interface
 +
| Igor Golubkov, Alex Harpin
 +
|-
 +
| {{bug|130}}
 +
| Minor
 +
| VRRP group description is not displayed
 +
| Alex Harpin
 +
|-
 +
| {{bug|298}}
 +
| Minor
 +
| On shutdown the SSH session on the client does not get disconnected
 +
| Alex Harpin
 +
|-
 +
| {{bug|329}}
 +
| Minor
 +
| L2TP IPSec does not accept connections if PSK contains special characters
 +
| Alex Harpin
 +
|-
 +
| {{bug|343}}
 +
| Minor
 +
| "Malformed lease" when we have an abandoned DHCP lease
 +
| Alex Harpin
 +
|-
 +
| {{bug|367}}
 +
| Minor
 +
| Incorrect PFS config generation in DMVPN
 +
| Kim Hagen
 +
|-
 +
| {{bug|377}}
 +
| Trivial
 +
| Pipe (for conversion) to commands should only be available in config context
 +
| Daniil Baturin
 +
|-
 +
| {{bug|382}}
 +
| Minor
 +
| Removing system ipv6 forwarding causes script error
 +
| Carl Byington, Hiroyuki Sato
 +
|-
 +
| {{bug|400}}
 +
| Major
 +
| OpenVPN denial of service vulnerability (CVE-2014-8104)
 +
| OpenVPN maintainers
 +
|-
 +
| {{bug|401}}
 +
| Minor
 +
| IKEv2 SA Info not displaying when rekeying is disabled
 +
| Jason Hendry
 +
|-
 +
| {{bug|402}}
 +
| Minor
 +
| "show vpn ike sa" displays the wrong information for DH-group
 +
| Jason Hendry
 +
|-
 +
| {{bug|423}}
 +
| Major
 +
| Webproxy ldap auth with spaces in binddn and ldap port with squidGuard
 +
| Igor Golubkov
 +
|-
 +
| {{bug|433}}
 +
| Minor
 +
| reject-unconfigured-clients statement does not work
 +
| Sean Maguire, Alex Harpin
 +
|-
 +
| {{bug|441}}
 +
| Minor
 +
| wan-load-balance service does not reliably daemonize
 +
| Chris Wadge, Alex Harpin
 +
|-
 +
| {{bug|453}}
 +
| Text
 +
| vyatta-wireless: update wpa passphrase help for single quotes
 +
| Alex Harpin
 +
|-
 +
| {{bug|460}}
 +
| Enhancement
 +
| vyatta-op: update the system poweroff cli command to be script based
 +
| Alex Harpin
 +
|-
 +
| {{bug|461}}
 +
| Enhancement
 +
| vyatta-op: replace 'show shutdown' with 'show poweroff' and use script
 +
| Alex Harpin
 +
|-
 +
| {{bug|468}}
 +
| Minor
 +
| resolv.conf - invalid format causing extra DNS request
 +
| Andreas Sundstrom, Alex Harpin
 +
|-
 +
| {{bug|483}}
 +
| Enhancement
 +
| linux-firmware: add Intel iwlwifi firmwares
 +
| Firmware authors
 +
|-
 +
| {{bug|487}}
 +
| Trivial
 +
| Non-commited firewall names do not autocomplete
 +
| Daniil Baturin
 +
|-
 +
| {{bug|490}}
 +
| Major
 +
| Can't commit dhcpv6-options for client on ethernet interface
 +
| Daniil Baturin
 +
|-
 +
| {{bug|491}}
 +
| Minor
 +
| DHCPv6 client CLI allows temporary and parameters-only to be configured at the same time
 +
| Daniil Baturin
 +
|-
 +
| {{bug|492}}
 +
| Minor
 +
| DHCPv6 client CLI doesn't fail commit in case of errors
 +
| Daniil Baturin
 +
|-
 +
| {{bug|498}}
 +
| Major
 +
| Operator level users are allowed to execute remote commands via SSH
 +
| Daniil Baturin
 +
|}
 +
 +
== 1.1.5 ==
 +
 +
Release date: 2015 March 25
 +
 +
=== セキュリティ ===
 +
 +
解決したセキュリティの問題:
 +
 +
下記のセキュリティに関する不具合は 0.9.8zfで解決しました。
 +
 +
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287 CVE-2015-0287] (memory corruption in ASN.1 parsing).
 +
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286 CVE-2015-0286] (denial of service in ASN1_TYPE_cmp() function).
 +
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289 CVE-2015-0289] (NULL pointer dereference in the PKCS#7 parsing code, resulting in denial of service).
 +
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293 CVE-2015-0293] (denial of service via a crafted SSLv2 CLIENT-MASTER-KEY message).
 +
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209 CVE-2015-0209] (malformed EC private key may result in memory corruption).
 +
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288 CVE-2015-0288] (missing input sanitising in the X509_to_X509_REQ() function might result in denial of service).
 +
 +
 +
=== 解決した問題 ===
 +
 +
{| class="wikitable"
 +
|-
 +
! Bug ID
 +
! Severity
 +
! Title
 +
! Contributor
 +
|-
 +
| {{bug|473}}
 +
| Minor
 +
| VIF Interfaces do not set MTU properly at boot for Jumbo Frames
 +
| Alex Harpin
 +
|-
 +
| {{bug|508}}
 +
| Major
 +
| dhcpv6-options doesn't work on VIF interfaces
 +
| Benjamin Beret
 +
|-
 +
| {{bug|521}}
 +
| Major
 +
| If a quagga daemon crashes, it can't be restarted
 +
| Daniil Baturin
 +
|-
 +
| {{bug|522}}
 +
| Major
 +
| Update OpenSSL to upstream version 0.9.8zf
 +
| OpenSSL developers, Alex Harpin (packaging)
 +
|-
 +
| {{bug|528}}
 +
| Major
 +
| Removing "address-family ipv6-unicast" from a BGP neighbor removes the whole neighbor
 +
| Daniil Baturin
 +
|-
 +
| {{bug|529}}
 +
| Trivial
 +
| vyatta-cfg-quagga builds useless packages
 +
| Daniil Baturin
 +
|-
 +
|}
 +
 +
== 1.1.6 ==
 +
 +
リリース日: 2015/08/17
 +
 +
=== セキュリティ ===
 +
 +
下記のセキュリティの問題が解決されています:
 +
* [https://access.redhat.com/security/cve/CVE-2015-5366 CVE-2015-5366] (remote UDP DoS in the kernel)
 +
 +
=== 解決した課題 ===
 +
 +
{| class="wikitable"
 +
|-
 +
! Bug ID
 +
! Severity
 +
! Title
 +
! Contributor
 +
|-
 +
| {{bug|406}}
 +
| Minor
 +
| No completion for uncommited firewall group names in rulesets
 +
| Daniil Baturin
 +
|-
 +
| {{bug|434}}
 +
| Minor
 +
| Client configuration file not configured unless client options present
 +
| Alex Harpin
 +
|-
 +
| {{bug|509}}
 +
| Text
 +
| Top Level CLI help Merge bad formatting
 +
| Alex Harpin
 +
|-
 +
| {{bug|517}}
 +
| Minor
 +
| commit-archive with scp location fails on self signed ssh keys
 +
| Alex Harpin
 +
|-
 +
| {{bug|541}}
 +
| Major
 +
| Creation of L2TPv3 interface with IPv6 endpoints fails
 +
| Daniil Baturin
 +
|-
 +
| {{bug|557}}
 +
| Major
 +
| 'delete system login user' doesn't remove the user
 +
| Alex Harpin
 +
|-
 +
| {{bug|567}}
 +
| Minor
 +
| The strip-private command fails to remove SSH keys
 +
| Alex Harpin
 +
|-
 +
| {{bug|573}}
 +
| Major
 +
| missing encrypted-password breaks user config node
 +
| Alex Harpin
 +
|-
 +
|}
 +
 +
=== Notes ===
 +
 +
このリリースイメージには更新された公開鍵(A0FE6D7E)が含まれています。
  
 
[[Category: Release notes]]
 
[[Category: Release notes]]
 +
 +
== 1.1.7 ==
 +
 +
Release date: 2016/02/17
 +
 +
=== セキュリティ ===
 +
 +
下記のセキュリティの問題が解決されています:
 +
* [https://googleonlinesecurity.blogspot.sg/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html CVE-2015-7547] (glibc stack-based buffer overflow when the getaddrinfo() library function is used)
 +
 +
== 1.1.8 ==
 +
 +
Release date: 2017/11/13
 +
 +
* [http://blog.vyos.net/1-dot-1-8-release-is-available-for-download リリースアナウンス ]

2017年12月12日 (火) 07:41時点における最新版

概要

1.1.0 リリース ("helium" ブランチ) は、 1.0.x から機能を追加したリリースです。

新機能

実験的な機能:

新しいパイプ:

| strip-private — コンフィグモードの "show" コマンドの出力からプライベートな情報を除外します。

# show system login | strip-private 
 user xxxxxx {
     authentication {
         encrypted-password xxxxxx
     }
     level admin
 }

| commands — コンフィグモードの "show" コマンドの出力をコマンド形式に変換します。

# show interfaces tunnel | commands 
set tunnel tun0 encapsulation 'gre'
set tunnel tun0 local-ip '10.46.1.242'
set tunnel tun0 remote-ip '10.91.19.1'

アップグレードについて

Vyatta Core と VyOS 1.0.x は、 "add system image" により、アップグレード可能です。特別な手順はありません。

CLI の変更

コンフィグモード

既存機能に対する変更点:

コマンド ステータス コメント
set interfaces ethernet ethX pppoe X disable 追加 PPPoE のセッションを無効にする。
set interfaces ethernet eth0 pppoe 0 default-route <auto none force> 修正 強制的に PPPoE のセッションをデフォルトルートにする、 "force" オプションを追加。
set vpn pptp remote-access authentication require <chap pap mschap mschap-v2> 追加 特定の認証プロトコルを必須にする。
set interfaces openvpn vtunX server reject-unconfigured-clients 追加 "server client" 配下に設定されていないクライアントを拒否する。(OpenVPN の --ccd-exclusive オプション)
set interfaces openvpn <name> persistent-tunnel 追加 OpenVPN の --persist-run オプション。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip disable-arp-filter 追加 インターフェースの arp-filter を無効にする。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-accept 追加 インターフェースの arp-accept を有効にする。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-announce 追加 インターフェースの arp-announce を有効にする。
set interfaces <ethernet pseudo-ethernet bridge bonding> ... ip enable-arp-ignore 追加 インターフェースの arp-ignore を有効にする。
set system options ctrl-alt-del-action <ignore reboot poweroff> 追加 Ctrl-Alt-Del の挙動を変更する。(デフォルトは ignore)
set firewall twa-hazards-protection <enable disable> 追加 RFC1337 TIME-WAIT assasination hazards の防御を有効、または無効にする。
set interfaces <type> <name> ip source-validation <disable loose strict> 追加 インターフェースのソースバリデーションの設定。
set interfaces ethernet ethX ipv6 router-advert name-server <ipv6 address> 追加 RAで広報するため、 RFC6106 のネームサーバを設定する。
set protocols rip passive-interface <interface-name or "default"> 修正 "default" オプションを追加。
set system syslog host <host> facility <facility> protocol (tcp udp) 追加 リモートの syslog のプロトコルを TCP または、 UDP に設定する。
set service snmp smux-peer <oid> 追加 SMUX peer OID を設定。
set vpn ipsec ike-group <group> proposal <proposal> dh-group <2 5 14-26> 修正 dh-group に 2、 5 に加えて、 14 から 26 を設定可能にした。
set vpn ipsec <ike-group esp-group> proposal <proposal> hash <md5 sha1 sha256 sha384 sha512> 修正 SHA2 を追加。
set vpn ipsec ike-group <group> key-exchange <ikev1 ikev2> 追加 鍵交換プロトコルのバージョンに IKEv2 を追加し、デフォルトを IKEv2 にした。
set vpn ipsec ike-group <group> mobike <enable disable> 追加 MOBIKE を有効、または無効にする。IKEv1 での、デフォルトは無効、 IKEv2でのデフォルトは有効。
set service ssh ciphers <ciphers list> 追加 リストを元に SSH の暗号方式を制限する。
set interfaces ... ip proxy-arp-pvlan 追加 インターフェースのプライベート VLAN のプロキシ ARP を有効にする。

オペレーションモード

コマンド ステータス コメント
restart webproxy clear-cache 追加 webproxy のキャッシュをクリアし、プロセスを再起動する。 (再起動なしにキャッシュをクリアすることはできない。)
force arp reply interface <interface name> address <MAC address> 追加 Gratuitous ARP 応答を特定のアドレスに送信する。
force arp request interface <interface name> address <MAC address> 追加 Gratuitous ARP 要求を特定のアドレスに送信する。
show system memory cache 修正 カーネルキャッシュの情報を表示する。
show ip route cache 非推奨 カーネルからルートキャッシュがなくなったため、何も返さない。

挙動の変更

コマンド/アクション/コンポーネント 変更内容 以前の挙動 変更理由
run generate openvpn key <file> フルパスを指定しない限り、 /config/auth に鍵ファイルを配置する。 カレントユーザのホームディレクトリに配置。 使いやすさのため、アップグレード時の永続性のため。
DHCPv6 server DHCPv6 サーバのリースファイルを /config 配下に配置。 /var/lib 配下に配置。 アップグレード時の永続性のため。
Firewall groups ファイアウォールの port-groups と address-groups で、ネイティブな IPset range の機能を使用。 それぞれのメンバ毎に繰り返し IPset を呼び出し。 パフォーマンス向上のため。
Wireless 最初に提案する暗号方式を CCMP に変更。 TKIP を提案した後、 CCMP を提案。 いくつかのクライアントでは、最初に提案した暗号方式を使用するため。

解決済の問題

バグID 重要度 タイトル コントリビュータ
Bug #2 Enhancement Add a command to clear the squid web proxy cache Ewald van Geffen
Bug #7 Descriptions for openvpn interfaces are invisible in "show interfaces" Enhancement Alex Harpin
Bug #8 Enhancement 'generate openvpn key <filename>' should place the key file in the appropriate/suggested directory (/config/auth) Daniil Baturin
Bug #12 Provide a config parameter to administratively disable a pppoe session. Enhancement Daniil Baturin
Bug #13 Enhancement PPTP/L2TP: provide options to require or refuse individual authentication protocols Toni Cunyat
Bug #14 Enhancement openvpn - add ability on server to limit connection to clients with existing configuration files Daniil Baturin
Bug #19 Enhancement Add support for 802.1ad "Q-in-Q" VLANs Kim Hagen
Bug #21 Enhancement Add the ability to adjust system ARP settings via the CLI on a per interface basis Kim Hagen
Bug #37 Enhancement Add Linux Standards Base release package Kim Hagen, Daniil Baturin
Bug #39 Enhancement Add op-mode commands to send gratuitous ARP messages Daniil Baturin
Bug #45 Minor better input validation could avoid messy iptables error output for misconfigured ports Daniil Baturin
Bug #71 Minor "show system memory cache" gives "permission denied" message Kim Hagen
Bug #73 Enhancement Make Ctrl-Alt-Del behaviour configurable hydrajump
Bug #82 Enhancement Add support for Hyper-v vlan trunking Kernel developers
Bug #86 Minor Qos Bug with multiple class match rules Ubiquiti (Stig Thormodsrud), Carl Byington
Bug #87 Trivial Values for "authoritative" option don't show up in completion Daniil Baturin
Bug #97 Text System shows "Linux vyatta 3.3.8-1-amd64-vyatta" at login Daniil Baturin
Bug #99 Minor build-iso README is outdated Daniil Baturin
Bug #100 Enhancement Automate build environment setup Hiroyuki Sato
Bug #102 Trivial No completion for as-path-list in route-map rule Daniil Baturin
Bug #104 Enhancement Add an option to remove private information from displayed config Daniil Baturin
Bug #108 Enhancement Utilize Linux-specific implementation of RFC1337 Daniil Baturin
Bug #115 Minor Syntax: CLI allows users to commit namespaces reserved by IPTables (MARK, CONNMARK, etc.) Daniil Baturin
Bug #122 Minor DHCPv6 server lease file is written to /var/log which is not preserved through image upgrades Daniil Baturin
Bug #128 Trivial IpSet.pm still calls ipset for each port in a port-range making a complex firewall boot last ages Paweł Pierścionek, Daniil Baturin
Bug #129 Text Extra quote in "set protocols ospf distance global" help string Trick van Staveren
Bug #147 Enhancement Please implement BCP38 (Reverse Path Filtering) Ubiquiti (Stig Thormodsrud)
Bug #149 Enhancement Please implement VrrpV6 Florian Fuessl
Bug #152 Enhancement Router Advertisment RFC4191 Specific Routes and RFC6106 DNS configuration not impimented in CLI and Vyos configuration Ivan Malyarchuk
Bug #159 Enhancement Feature Request: Support for "dummy" interface configuration Daniil Baturin
Bug #160 Minor Invalid DHCP configuration can cause dhcpd to silently fail Alex Harpin
Bug #170 Enhancement Add unmanaged L2TPv3 support Yuya Kusakabe
Bug #171 Minor Non-optimal partition alignment in installer hydrajump, Daniil Baturin
Bug #178 Major Please *don't* remove non-PAE capability Daniil Baturin
Bug #181 Minor Check to verify private key may fail for certain valid keys Ralf Ertzinger
Bug #182 Minor System DHCP client behavior overrides hard-coded DNS settings Alex Harpin
Bug #186 Enhancement RIP passive-interface "default" missing from config template Kim Hagen
Bug #195 Enhancement Send message to remote syslog server over UDP or TCP Abdelouahed Haitoute
Bug #196 Enhancement Add smuxpeer in snmpd.conf Abdelouahed Haitoute
Bug #197 Enhancement Add support for additional DH groups to IPsec Ryan Riske
Bug #200 Major UNIONTYPE=overlayfs seems to break helium iso builds since 2014-04-25 Patrick van Staveren, Hiroyuki Sato, Kim Hagen, Daniil Baturin
Bug #204 Minor wireless-hostapd: ensure the cipher value given is used by hostapd Alex Harpin
Bug #205 Minor wireless-hostapd: set the default cipers to CCMP TKIP Alex Harpin
Bug #218 Text traffic-policy help is hard to understand Hiroyuki Sato
Bug #220 Enhancement Add support for SHA2 hashes Rian Riske
Bug #221 Minor Openvpn server mode makes remote client loose default openvpn on dhcp renew Toni Cunyat
Bug #222 Enhancement Initial IKEv2 Support Jeff Leung
Bug #223 Minor Remove automatic IKE version negoiation Jeff Leung
Bug #224 Enhancement Initial MOBIKE Configuration Support Jeff Leung
Bug #225 Minor wireless-config: fix "use of uninitialized value" warning Alex Harpin
Bug #230 Major radvd only respecting last interface in radvd.conf Daniil Baturin
Bug #233 Major task-scheduler: restart script missing Ubiquiti (Stig Thormodsrud)
Bug #234 Minor task-scheduler should verify valid cron file name Ubiquiti (Stig Thormodsrud)
Bug #237 Enhancement Add support for cipher and macs overrides in SSH server neutralrockets
Bug #239 Enhancement Getting the version number by using dpkg will not work when upgrading to newer version of debian. Kim Hagen
Bug #241 Major IPsec VPN allows protected traffic out unencrypted before IKE negotiation completes Ryan Riske
Bug #245 Minor vyos constant "failed to get vmstats" spam to /var/log/messages from vmware-tools vmsvc Kim Hagen
Bug #246 Enhancement Allow configuring/changing VyOS Linux bridge /sys multicast IGMP querier settings Daniil Baturin
Bug #247 Major VyOS helium Linux 3.13 kernel .config doesn't have vmxnet3 driver enabled/available Kim Hagen
Bug #250 Trivial Helium build fail Cause "Untrusted packages could compromise your system's security" Alex Harpin
Bug #251 Enhancement Add ability to convert config mode "show" output to set commands Daniil Baturin
Bug #255 Minor dnsmasq returns 127.0.1.1 to clients requesting the VyOS router's name Daniil Baturin, Paul Gear
Bug #256 Major When for reboot, Configuration of L2TPv3 is not load ftoyama
Bug #258 Major Unable to add l2tp_ip module for L2TPv3 over ip ftoyama
Bug #259 Major unable to delete tunnel Daniil Baturin
Bug #261 Minor Quotes in snmpd.conf sysLocation and sysContact not required Alex Harpin
Bug #263 Major vyos-kernel: enable atheros wireless drivers in the helium 3.13 kernel Alex Harpin
Bug #265 Trivial linux-firmware: remove deprecated ar9170usb firmware Alex Harpin
Bug #266 Major vyos-kernel: enable atheros HTC drivers in the helium 3.13 kernel Alex Harpin
Bug #267 Major vyos-kernel: enable atheros USB drivers in the helium 3.13 kernel Alex Harpin
Bug #268 Major linux-firmware: add carl9170 firmware required by kernel module Alex Harpin
Bug #269 Trivial GRUB menu says it's an AWS AMI even if it's not Daniil Baturin
Bug #270 Enhancement Add an option to always replace default route Ewald van Geffen
Bug #271 Enhancement Add an event handling mechanism Daniil Baturin, Jon Andersson
Bug #274 Trivial IPv6 RA "send-advert", "other-config-flag", and "managed-flag" lack value completion Daniil Baturin
Bug #276 Enhancement vyos-kernel: update config files for the latest kernel Alex Harpin
Bug #280 Enhancement vyos-kernel: enable realtek rtl8723ae kernel modules for all configs Alex Harpin
Bug #281 Enhancement vyos-kernel: enable kernel stack overflow protection for all configs Alex Harpin
Bug #283 Enhancement vyos-kernel: disable kernel debugging for all configs Alex Harpin
Bug #295 Minor wireless-hostapd: set default ciphers used based on the wpa mode Alex Harpin
Bug #296 Text Tidy up output on "show dhcp server leases" Alex Harpin
Bug #297 Enhancement Sticky incoming connection support for WLB Ewald van Geffen
Bug #300 Major Entering configuration mode as root screws up running config permissions Daniil Baturin
Bug #301 Major Enable VXLAN kernel module for 586-vyos kernel version Alex Harpin
Bug #303 Minor tail is not working (tailing) Alex Harpin, Daniil Baturin
Bug #305 Minor Allow interfaces with dhcp addresses to be deleted Alex Harpin
Bug #306 Enhancement Add proxy_arp_pvlan support Shane Short, Daniil Baturin
Bug #309 Enhancement Expand 'set system allow-dhcp-nameservers' logic Alex Harpin
Bug #314 Enhancement Rename allow-dhcp-nameservers and change to typeless Alex Harpin
Bug #317 Enhancement vyatta-cfg-vpn: add libnfnetlink-dev to build dependencies Alex Harpin
Bug #318 Enhancement Add support for persistent tunnels (--persist-tun) in OpenVPN Alex Harpin
Bug #320 Text Tidy up output on "show openvpn <type> status" messages Alex Harpin
Bug #321 Major Shaping does not work for PPPoE interfaces Alex Harpin
Bug #326 Major Import patch from Redhat for CVE-2014-7169 Alex Harpin, Daniil Baturin
Bug #331 Trivial Show vpn ipsec status always returns "no IP on interface..." Trick van Staveren
Bug #332 Minor Prevent duplicate local rsa key includes Alex Harpin
Bug #333 Major Return correct path for pppoe or pppoa interfaces Alex Harpin
Bug #337 Major After upgrade from 1.0.3 to 1.1.0beta1, VRRP unable to communicate with other node Daniil Baturin
Bug #341 Minor Allow dhcp and dhcpv6 addresses to be deleted Alex Harpin

開発環境の変更

  • Added "tools/setup-vyos-build-env" script that automatically setups basic ISO build dependencies.

メンテナンスリリース

1.1.1

リリース日: 2014/12/8

ダウンロード: http://packages.vyos.net/iso/release/1.1.1/

セキュリティ

解決したセキュリティの問題:

既知の問題 / ワークアラウンド

Due to an issue with the OpenSSL package used for Helium, the 64-bit image released for 1.1.0 caused segmentation faults when using SSH on this platform. This is due to a failure of the SSH host key creation process on this platform. The 1.1.1 release contains a downgraded version of the OpenSSL package, correcting this issue, while this is investigated (Bug #345)

解決した問題

バグID 重要度 タイトル コントリビュータ
Bug #147 Enhancement Please implement BCP38 (Reverse Path Filtering Ubiquiti Networks (Stig Thormodsrud), Ryan Riske
Bug #191 Minor ipv6 BGP Clear via soft in/out agusr
Bug #312 Minor OpenVPN CLI allows remote and local address to be the same Daniil Baturin
Bug #334 Minor DHCP sends incorrect hostname to client when use-host-decl-names is on Alex Harpin
Bug #336 Major Login block deleted on reboot when user does not have password Alex Harpin
Bug #340 Minor configuration backup command doesn't work Alex Harpin
Bug #342 Minor Password reset only works for the "vyos" user Alex Harpin
Bug #350 Major LDAP Auth through Vyos Daniil Baturin
Bug #351 Major there is mistake into squid.conf Daniil Baturin
Bug #354 Major PPTP doesn't work when required authentication protocol is not specified Daniil Baturin
Bug #355 Enchancement vyatta-cfg-system: set default vyos password hash to sha-512 when reset Alex Harpin
Bug #364 Minor ppp potential local privilege escalation CVE-2014-3158 Toni Cunyat
Bug #381 Major VxLAN's "link" option does not work Hiroshi Umehara

1.1.2

Release date: 2015 January 22

セキュリティ

Several vulnerabilities in NTP have been fixed: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295.

互換性についての注意

Before the fix for Bug #415 the system allowed using "authentication remote-id" option for peers with "@something names" but didn't use it in any way; it used to be undefined and undocumented behaviour. Now remote-id option overrides the peer name id in this case. If you left it configured by mistake in a "@something" peer, remove it.

解決した問題

バグID 重要度 タイトル コントリビュータ
Bug #345 Major SSH command returns "Segmentation fault" Debian team, Hiroyuki Sato, Alex Harpin
Bug #348 Minor Pre-shared key regex is too restrictive Daniil Baturin
Bug #350 Major Squidguard is built without LDAP support Igor Golubkov, Alex Harpin
Bug #358 Major Can't reach other side of VTI IPsec tunnel but can see packets on VTI interface Alex Harpin
Bug #388 Major IKEv2 SA's are not shown in "show vpn ipsec sa" Jason Hendry
Bug #395 Major IKEv2 Strongswan Re-Authentication Bug Jason Hendry
Bug #396 Minor Fix "show vpn ike sa" when reauth=no Jason Hendry
Bug #398 Minor "show vpn ipsec sa" does not show left/right subnets with IKEv2 Jason Hendry
Bug #403 Major Multiple users changing the running config may cause config subsystem internal errors Alex Harpin
Bug #405 Major VTI Routing broken over ipsec Alex Harpin
Bug #411 Minor Loading SSH key with spaces in comment fails Jared Baldridge
Bug #414 Minor Site-to-site IPsec config script doesn't quote local id properly Daniil Baturin
Bug #415 Minor remote-id option doesn't override rightid for peers with @id names Daniil Baturin
Bug #418 Major ntp: import RedHat patch to fix CVE-2014-9293 RedHat
Bug #419 Minor ntp: import RedHat patch to fix CVE-2014-9294 RedHat
Bug #420 Major ntp: import RedHat patch to fix CVE-2014-9295 RedHat
Bug #421 Minor ntp: import RedHat patch to fix CVE-2014-9296 RedHat
Bug #431 Minor IKEv2 SA Information Sometimes Fails Jason Hendry
Bug #438 Minor show host domain replies (none) Alex Harpin
Bug #451 Trivial Update pre-shared secret key help for single quotes Alex Harpin

1.1.3

Release date: 2015 January 28

セキュリティ

解決したセキュリティの問題:

1.1.4

Release date: 2015 March 09

セキュリティ

解決したセキュリティの問題:

互換性についての注意点

オペレーションモードのコマンド "show shutdown" は "show poweroff" に変更されました。

解決した問題

バグID 重要度 タイトル コントリビュータ
Bug #35 Minor Unable to configure webproxy listen-address when it's associated with an OpenVPN tunnel interface Igor Golubkov, Alex Harpin
Bug #130 Minor VRRP group description is not displayed Alex Harpin
Bug #298 Minor On shutdown the SSH session on the client does not get disconnected Alex Harpin
Bug #329 Minor L2TP IPSec does not accept connections if PSK contains special characters Alex Harpin
Bug #343 Minor "Malformed lease" when we have an abandoned DHCP lease Alex Harpin
Bug #367 Minor Incorrect PFS config generation in DMVPN Kim Hagen
Bug #377 Trivial Pipe (for conversion) to commands should only be available in config context Daniil Baturin
Bug #382 Minor Removing system ipv6 forwarding causes script error Carl Byington, Hiroyuki Sato
Bug #400 Major OpenVPN denial of service vulnerability (CVE-2014-8104) OpenVPN maintainers
Bug #401 Minor IKEv2 SA Info not displaying when rekeying is disabled Jason Hendry
Bug #402 Minor "show vpn ike sa" displays the wrong information for DH-group Jason Hendry
Bug #423 Major Webproxy ldap auth with spaces in binddn and ldap port with squidGuard Igor Golubkov
Bug #433 Minor reject-unconfigured-clients statement does not work Sean Maguire, Alex Harpin
Bug #441 Minor wan-load-balance service does not reliably daemonize Chris Wadge, Alex Harpin
Bug #453 Text vyatta-wireless: update wpa passphrase help for single quotes Alex Harpin
Bug #460 Enhancement vyatta-op: update the system poweroff cli command to be script based Alex Harpin
Bug #461 Enhancement vyatta-op: replace 'show shutdown' with 'show poweroff' and use script Alex Harpin
Bug #468 Minor resolv.conf - invalid format causing extra DNS request Andreas Sundstrom, Alex Harpin
Bug #483 Enhancement linux-firmware: add Intel iwlwifi firmwares Firmware authors
Bug #487 Trivial Non-commited firewall names do not autocomplete Daniil Baturin
Bug #490 Major Can't commit dhcpv6-options for client on ethernet interface Daniil Baturin
Bug #491 Minor DHCPv6 client CLI allows temporary and parameters-only to be configured at the same time Daniil Baturin
Bug #492 Minor DHCPv6 client CLI doesn't fail commit in case of errors Daniil Baturin
Bug #498 Major Operator level users are allowed to execute remote commands via SSH Daniil Baturin

1.1.5

Release date: 2015 March 25

セキュリティ

解決したセキュリティの問題:

下記のセキュリティに関する不具合は 0.9.8zfで解決しました。

  • CVE-2015-0287 (memory corruption in ASN.1 parsing).
  • CVE-2015-0286 (denial of service in ASN1_TYPE_cmp() function).
  • CVE-2015-0289 (NULL pointer dereference in the PKCS#7 parsing code, resulting in denial of service).
  • CVE-2015-0293 (denial of service via a crafted SSLv2 CLIENT-MASTER-KEY message).
  • CVE-2015-0209 (malformed EC private key may result in memory corruption).
  • CVE-2015-0288 (missing input sanitising in the X509_to_X509_REQ() function might result in denial of service).


解決した問題

Bug ID Severity Title Contributor
Bug #473 Minor VIF Interfaces do not set MTU properly at boot for Jumbo Frames Alex Harpin
Bug #508 Major dhcpv6-options doesn't work on VIF interfaces Benjamin Beret
Bug #521 Major If a quagga daemon crashes, it can't be restarted Daniil Baturin
Bug #522 Major Update OpenSSL to upstream version 0.9.8zf OpenSSL developers, Alex Harpin (packaging)
Bug #528 Major Removing "address-family ipv6-unicast" from a BGP neighbor removes the whole neighbor Daniil Baturin
Bug #529 Trivial vyatta-cfg-quagga builds useless packages Daniil Baturin

1.1.6

リリース日: 2015/08/17

セキュリティ

下記のセキュリティの問題が解決されています:

解決した課題

Bug ID Severity Title Contributor
Bug #406 Minor No completion for uncommited firewall group names in rulesets Daniil Baturin
Bug #434 Minor Client configuration file not configured unless client options present Alex Harpin
Bug #509 Text Top Level CLI help Merge bad formatting Alex Harpin
Bug #517 Minor commit-archive with scp location fails on self signed ssh keys Alex Harpin
Bug #541 Major Creation of L2TPv3 interface with IPv6 endpoints fails Daniil Baturin
Bug #557 Major 'delete system login user' doesn't remove the user Alex Harpin
Bug #567 Minor The strip-private command fails to remove SSH keys Alex Harpin
Bug #573 Major missing encrypted-password breaks user config node Alex Harpin

Notes

このリリースイメージには更新された公開鍵(A0FE6D7E)が含まれています。

1.1.7

Release date: 2016/02/17

セキュリティ

下記のセキュリティの問題が解決されています:

  • CVE-2015-7547 (glibc stack-based buffer overflow when the getaddrinfo() library function is used)

1.1.8

Release date: 2017/11/13