VyOS Platform Blog

VyOS 1.3.1 release

Written by Daniil Baturin | March 21, 2022 7:48:22 PM Z

Hello, Community

VyOS 1.3.1 release is now available:

subscribers (customers and contributors) can download binary images from the support portal, and everyone can build it from the source.

The driving force for this release is CVE-2022-0778, but it features a whole bunch of bug fixes and a few new features in addition to it.

If you missed it, CVE-2022-0778 is a vulnerability in OpenSSL that potentially allows any remote attacker to cause an infinite loop in OpenSSL and hang the process by sending a malformed certificate. We still haven't seen a working PoC for exploiting it in the wild, but since it's remotely exploitable, it would be irresponsible to wait for a working exploit to take action.

We have been planning to make a 1.3.1 release for a while anyway but wanted to complete some work on fixes and features before releasing it. Since VyOS 1.3.0 was released in late December 2021, many could argue that this release is already overdue and we've been holding useful improvements back for no reason. In any case, now it's released, we will start working on 1.3.2 and keep working on 1.4.0.

Notable improvements

First, there's now Telegraf monitoring agent configuration CLI! You can find it under set service monitoring telegraf. It's fairly intuitive, but we will document it, and meanwhile feel free to ask if you get any problems with it.

It was impossible to set multiple remotes for unicase VXLAN, but now there is:

set interfaces vxlan vxlan0 remote 192.0.2.23
set interfaces vxlan vxlan0 remote 203.0.113.23

It was also impossible to make the web proxy listen on all addresses because it wouldn't accept 0.0.0.0 as its listen-address, but now it's a valid value.

VRRP transition scripts would stop working when sync-groups were configured. That's not a common configuration, but that was an unfortunate bug nonetheless, and now it's no longer an issue.

Overall, there are just over 50 resolved issues though, mostly small but still significant. You will find a complete changelog below. Now let's talk about deprecations...

The loadkey command is now deprecated

The loadkey command was quite an oddity in our CLI. It parsed SSH public keys and ran set commands behind the scenes to add the user's public key to the config. We've been planning to rectify that irregularity for a long time, but we needed an alternative.

Now the new, better (we think) way to configure user keys is the op mode command run generate public-key-command. This is how it works:

generate public-key-command user jrandomhacker path /tmp/id_rsa.pub
# To add this key as an embedded key, run the following commands:
configure
set system login user jrandomhacker authentication public-keys jrandomhacker@host.example.com key AAAAB3NzaC1yc2EAAAADAQABAAABAQDQvwU34xJjCqkU1KOM+Ep7LLlswVXRbTjoileJmR3YLIpVXrP/gSPgd7RY5AC2Zp/JjcFnaMZCyVDUM+NU9rF1I7yWeoXE98BQ1jcCWROwfPjVh/LzGJvSXIQDhVAiarrXV90fiFe4VPYmf4JfXjbElCxH669YLw7QLovvXUqwWWI09POrp/zjdImEBDUUanCkGGJZCD3QuYtBPzz+fyiNuTnt3mTKZoCIKcwiMUDve/mn4OuOzCtoWGM8++K072KDwU8jq8Sq+3MSiudY5JACIbfwY3uIvKIQkBite0/+Dodw6m7QW12ZLMVcGLzMXvZSin05uxfDNdimIXgvu/vv
set system login user jrandomhacker authentication public-keys jrandomhacker@host.example.com type ssh-rsa

That command also accepts URLs, not only local paths.

Of course, the loadkey command isn't going anywhere right now. It will only issue deprecation warnings and will remain available throughout the 1.3.x branch lifetime. In 1.4.0 we will remove the old command and the new way will become the only way.

Changelog

Security

  • T4204: Update Accel-PPP to a newer revision
  • T4310: CVE-2022-0778: infinite loop in OpenSSL certificate parsing
  • T4311: CVE-2021-4034: local privilege escalation in PolKit

Configuration syntax changes (automatically migrated)

  • T4273: ssh: Upgrade from 1.2.X to 1.3.0 breaks config

New features and improvements

  • T2400: OpenVPN: dont restart server if no need
  • T2764: Increase the maximum number of NAT rules
  • T3164: console-server ssh does not work with RADIUS PAM auth
  • T3299: Allow the web proxy service to listen on all IP addresses
  • T3318: Update Linux Kernel to v5.4.185 / 5.10.106
  • T3854: Missing op-mode commands for conntrack-sync
  • T3872: Add configurable telegraf monitoring service
  • T4055: Add VRF support for HTTP(S) API service
  • T4120: [VXLAN] add the ability to set multiple unicast-remotes
  • T4128: keepalived: Upgrade package to add VRF support
  • T4261: MACsec: add DHCP client support

Bug fixes

  • T2922: The `vpn ipsec logging log-modes` miss the IPSec daemons state check
  • T3914: VRRP rfc3768-compatibility doesn't work with unicast peers
  • T3924: VRRP stops working with VRF
  • T4002: firewall group network-group long names restriction incorrect behavior
  • T4081: VRRP health-check script stops working when setting up a sync group
  • T4087: IPsec IKE-group proposals limit of 10 pieces
  • T4092: IKEv2 mobike commit failed with DMVPN nhrp
  • T4093: SNMPv3 snmpd.conf generation bug
  • T4101: commit-archive: Use of uninitialized value $source_address in concatenation
  • T4104: RAID1: "add raid md0 member sda1" does not restore boot sector
  • T4110: [IPV6-SSH/DNS} enable IPv6 link local adresses as listen-address %eth0
  • T4141: Set high-availability vrrp sync-group without members error
  • T4142: Input ifbX interfaces not displayed in op-mode
  • T4152: NHRP shortcut-target holding-time does not work
  • T4154: Error add second gre tunnel with the same source interface
  • T4165: Custom conntrack rules cannot be deleted
  • T4168: IPsec VPN is impossible to restart when DMVPN is configured
  • T4183: IPv6 link-local address not accepted as wireguard peer
  • T4184: NTP allow-clients address doesn't work it allows to use ntp server for all addresses
  • T4191: Lost access to host after VRF re-creating
  • T4196: DHCP server client-prefix-length parameter results in non-functional leases
  • T4203: Reconfigure DHCP client interface causes brief outages
  • T4226: VRRP transition-script does not work for groups name which contains -(minus) sign
  • T4228: bond: OS error thrown when two bonds use the same member
  • T4233: ssh: sync regex for allow/deny usernames to "system login"
  • T4234: Show firewall partly broken in 1.3.x
  • T4237: Conntrack-sync error - error adding listen-address command
  • T4240: Cannot add wlan0 to bridge via configure
  • T4241: ocserv openconnect looks broken in recent bulds of 1.3 Equuleus
  • T4242: ethernet speed/duplex can never be switched back to auto/auto
  • T4258: [DHCP-SERVER] error parameter on Failover
  • T4259: The conntrackd daemon can be started wrongly
  • T4263: vyos.util.leaf_node_changed() dos not honor valueLess nodes
  • T4264: vxlan: interface is destroyed and rebuild on description change
  • T4267: Error - Missing required "ip key" parameter
  • T4273: ssh: Upgrade from 1.2.X to 1.3.0 breaks config
  • T4297: Interface configuration saving fails for ice/iavf based interfaces because they can't change speed/duplex settings

Other resolved issues

  • T3380: Show vpn ike sa with IPv6 remote peer
  • T4227: Typo in help completion of hello-time option of bridge interface
  • T4255: Unexpected print of dict bridge on delete

What's next?

VyOS 1.2.x, by a lucky coincidence, wasn't affected by the OpenSSL vulnerability, so it didn't trigger an emergency release. However, we are still planning to make a 1.2.9 release before putting 1.2.x in a "deep maintenance" mode where it will only receive updates for critical bugs and security vulnerabilities.

VyOS 1.3.2 may receive more backports from the 1.4.0/Sagitta branch, and definitely more bug fixes. Stay tuned for updates!
View full post