VyOS 1.3.4 LTS release

Hello, Community!

VyOS 1.3.4/Equuleus release is now officially available for download for customers and contributors. It includes a number of small features and bug fixes, as well as fixes for recent vulnerabilities in cURL and mitigations for speculative execution security issues that affect AMD CPUs. Read on for details!

What's new?

There's now CLI for the SSHGuard service that automatically detects and blocks SSH brute force attacks. You can explicitly allow all connections from specific trusted hosts and configure attempt thresholds and timeouts:

set service ssh dynamic-protection allow-from 192.0.2.1
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30

One feature useful for ISPs is the ability to execute custom scripts when PPPoE server sessions go up or down:

set service pppoe-server authentication mode radius
set service pppoe-server authentication radius server 192.0.2.1 key mykey
set service pppoe-server client-ip-pool name POOL gateway-address 100.64.0.1
set service pppoe-server client-ip-pool name POOL subnet 100.64.0.0/24
set service pppoe-server extended-scripts on-change /config/scripts/tmp.sh
set service pppoe-server extended-scripts on-down /config/scripts/tmp.sh
set service pppoe-server extended-scripts on-up /config/scripts/tmp.sh
set service pppoe-server extended-scripts on-pre-up /config/scripts/tmp.sh
set service pppoe-server interface eth1

There was also an issue with generated sFlow configs in 1.3.3, but it is fixed now and sFlow setups should work as expected again.

Support for VRRPv3, arpwatch utility included in the image, and other improvements. One long-standing, even if minor, issue was that when booted from a live CD, VyOS did not create /config directory symlink, which interfered with testing some services from a live CD, such as DHCP server. Now that the issue is fixed, all functionality should be usable without installing the system first. There are more improvements — read the full changelog for details!

Security

We were about to make this release just when the maintainer of cURL announced that new vulnerabilities were discovered but their exact nature would only be revealed after a two-week embargo period. The final 1.3.4 release includes fixes for those, most notable for the SOCKS5 proxy redirect buffer overflow (CVE-2023-38545). While its exploitation isn't trivial, we definitely advise everyone to upgrade.

Changelog

New features and improvements

• T2424: Ability to choose the direction of Mirroring
• T3546: Add support for running scripts on PPPoE server session events
• T4426: Add arpwatch to the image
• T4475: route-map does not support ipv6 peer
• T4825: interfaces veth/veth-pairs -standalone used
• T5190: Cloud-Init cannot fetch Meta-data on machines where the main Ethernet interface is not eth0
• T5315: vrrp: add support for version 3
• T5354: Add sshguard to protect against brute forces attacks
• T5213: New interim-accounting-interval option for PPPoE server

Bug fixes

• T2611: Prefix list names are shared between ipv4 and ipv6
• T2908: VRF and bridge membership isn’t mutually exclusive
• T2958: DHCP server doesn't work from a live CD
• T3339: Cloud-Init domain search setting not applied
• T4113: Incorrect GRUB configuration parsing
• T4407: Network-config v2 is broken in Cloud-init 22.1 and VyOS 1.3
• T4412: commit archive: reboot not working with sftp
• T4459: API service with VRF doesn't work in 1.3.1
• T4745: CLI TAB issue with values with '-' at the beginning in conf mode
• T4790: RADIUS login does not work if sum of timeouts more than 50s
• T4855: Trying to create more than one tunnel of the same type to the same address causes unhandled exception
• T4895: Tag nodes are overwritten when configured by Cloud-Init from User-Data
• T5140: Firewall network-group problems
• T5221: BGP as-override behavior differs from new FRR and other vendors
• T5329: Wireguard interface as GRE tunnel source causes configuration error on boot
• T5506: Container bridge interfaces do not have a link-local address
• T5524: Add config directory to liveCD
• T5533: Keepalived VRRP IPv6 group enters in FAULT state
• T5545: sflow is not working
• T5555: Fix timezone migrator (system 13-to-14)
• T3070: Firewall going OOM, possible related to nftables migration
• T5630: PPPoE settings now verify that the MRU is less than or equal to the MTU.

Other resolved issues

• T3713: Create a meta-package for user utilities
• T4874: Add Warning message to Equuleus
• T4933: Malformed lines cause vyos.util.colon_separated_to_dict fail with a nondescript error

What's next?

VyOS 1.3.4 certainly isn't the last release in the 1.3.x/Equuleus series. Most of our effort now goes into stabilizing 1.4.0/Sagitta to make it the new LTS release by the end of this year, and 1.3.x will see fewer feature backports after that as the codebases diverge, but it will certainly receive maintenance and security releases for at least a two years more.