Hello Community!
VyOS 1.3.1-S1 security release is now available to customers and contributors to download, and everyone can build it from the source. It fixes a vulnerability in the experimental GraphQL component of our HTTP API server that allowed a remote attacker to bypass authentication and read the complete config. Since the HTTP API is disabled by default and very few people ever enabled it yet, the impact of the vulnerability is (luckily) not very high, and we have no evidence that it was exploited in the wild, but we advise everyone to upgrade nonetheless.
In addition to that vulnerability, this release fixes a couple more bugs:
There are more feature backports and fixes to come in 1.3.2, so stay tuned for updates!
P.S. Shortly after this release, our user Phillip McMahon discovered an issue with the set system ipv6 disable
command that prevents loopback interface config from loading properly. We are grateful for a prompt bug report, and we are sorry for the incident! We already made steps to improve our LTS branch maintenance procedures so that any one maintainer's slip of judgement will not allow insufficiently tested code to appear in a released image.
Meanwhile you can use this procedure to deploy a hotfix, if you are using the set system ipv6 disable
command:
wget https://cdn.vyos.io/1.3.1-S1/fixes/vyos-1x-1.3.1-S1-hotfix.deb sudo dpkg -i vyos-1x-1.3.1-S1-hotfix.deb
If you don't disable IPv6 completely on your system, no action is needed.