VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS 1.4.0-epa3 release

Daniil Baturin
Posted 14 May, 2024

Hello, Сommunity!

The VyOS 1.4.0-epa3 (Early Production Access) release is now available to subscribers. It includes a fix for CVE-2024-2961 — the recently discovered buffer overflow vulnerability in GNU libc.

This is the final EPA of 1.4.0/Sagitta release, which includes all supported flavors (hardware and virtual). It also includes a few configuration syntax changes (all automatically migrated) that were required to make old configs work or to unblock improvement paths, such as implementing the DHCP server active/active high availability mode in addition to the old active/passive failover mechanism.

Please let us know if you notice any anomalies! We expect the 1.4.0 GA release in two weeks if no significant issues are detected.

Change log


  • T6324: CVE-2024-2961 (GNU libc iconv function buffer overflow).

Configuration syntax changes (automatically migrated)

  • T5535: Move disable-directed-broadcast to firewall global-options
  • T6171: Rename the DHCP server "failover" command to "high-availability mode"
  • T6208: container: rename "cap-add" CLI node to "capability"
  • T6216: Firewall group names that contain the '+' character break the config
  • T6295: netns: disable incomplete support in VyOS 1.4 sagitta

New features and improvements

  • T4309: Support network/address-groups and ipv6-network/ipv6-address-groups in "conntrack ignore"
  • T4903: Support IPv6 addresses in "set system conntrack ignore"
  • T5364: Make it possible to set the PADO delay to 0
  • T6127: Ability to view logs for rules with Offload not functional
  • T6129: bgp: add route-map option "as-path exclude all"
  • T6133: Add domain-name to commit-archive
  • T6143: Increase configuration timeout range for service config-sync
  • T6154: Installer should ask for password twice
  • T6161: Add support for displaying container image data in JSON
  • T6162: ixgbe: Add 1000BASE-BX support
  • T6171: Rename the DHCP server "failover" command to "high-availability mode"
  • T6176: image-tools: rationalize setting of console type
  • T6184: image-tools: add op-mode command to set default boot console type
  • T6192: Support running SSH server in more than one VRF
  • T6226: Add "tcp-requece inspect-delay" to reverse proxy
  • T6257: Add op mode commands for dynamic firewall address groups
  • T6258: Add IPv6 base-reachable-time option to interfaces
  • T6260: image-tools: remove the image directory if it fails to install due to insufficient drive space
  • T6267: Improve commit failure messages for wireless interface configuration
  • T6278: Attempt hint for console type during image install
  • T6291: Add op mode commands for displaying LACP information for bonding interfaces
  • T6306: EVPN-MH - missing options in uplink ports

Bug fixes

  • T2590: DHCPv6 not updating nameservers and search domains since replacing isc-dhcp-client with WIDE dhcp6c
  • T3655: NAT doesn't work correctly with VRF
  • T4718: DHCP server listen-address doesn't take effect if the interface is in a VRF
  • T5164: op cmd: "show dhcp server leases state" with available options does not show any result
  • T5862: Default MTU is not acceptable in some environments
  • T5875: login: removing and re-adding a user keeps the home directory but changes the UID, thus SSH keys no longer work
  • T5996: Incorrect behavior for backslash escapes in config save and compare commands
  • T6082: BGP doesn't allow the same local AS and remote AS in peer groups
  • T6085: VTI interfaces are in UP state by default
  • T6089: [1.3.6->1.4.0-epa1 Migration] "ospf passive-interface default" incorrectly added
  • T6090: Migration of "policy route" configs fails due to TCP flag case sensitivity
  • T6100: NAT config migration error in 1.4.0-epa1 if invalid address/network defined in 1.3.6 version
  • T6106: Improve the commit error message for the case when route-reflector-client option is defined in a peer-group
  • T6119: Use a compliant TOML parser
  • T6130: [1.3.6->1.4.0-epa2 Migration] BGP "set community" missing
  • T6131: Disabling openvpn interface(s) causes OSPF to fail to load on reboot
  • T6136: Configuring a dynamic address group, config script did not check whether the group was created
  • T6138: Conntrack table op-mode fails with flowtable offload entries
  • T6145: Service config-sync does not rely on priorities
  • T6147: Conntrack not working as expected with global state-policy
  • T6152: Kernel panic for ZimaBoard 232
  • T6160: Unhandled exception when configuring IS-IS
  • T6165: grub: vyos-grub-update failed to start on "slow" systems
  • T6167: VNI not set on VRF after reboot
  • T6168: "add system image" does not set the default boot image to the current console type in compatibility mode
  • T6169: DNS forwarding configuration rejects underscores in SRV records
  • T6173: Build Causes Errors When "--version" Contains Slashes ("/")
  • T6175: op-mode: "renew dhcp interface " does not check if it's an actual DHCP interface
  • T6178: reverse-proxy doesn't check that a certificate exists at set time
  • T6179: Incorrect HAProxy config generated for reverse-proxy rules with url-path
  • T6186: 'set system image default-boot' fails to find images that actually do exist in the system
  • T6189: BGP L3VPN connectivity is broken after re-enabling VRF
  • T6191: Policy route set-mss option is not working correctly
  • T6193: dhcp-client: invalid warning "is not a DHCP interface but uses DHCP name-server option" for VLAN interfaces
  • T6196: route-map and summary-only do not work in BGP aggregation at the same time
  • T6197: Validation error in the IPoE server interface client-subnet option
  • T6202: Multi-Protocol BGP is broken by 6PE patch in upstream FRR 9.1
  • T6205: ipoe: error in migration script logic while renaming mac-address to mac
  • T6206: L2tp smoketest fails if vyos-configd is running
  • T6207: image-tools: restore ability to copy config.boot.default on image install
  • T6213: Validations in firewall groups mistakenly reject correct configurations
  • T6216: Firewall group names that contain the '+' character break the config
  • T6218: Container network interface in VRF fails to generate IPv6 link-local address
  • T6221: Enabling VRF breaks connectivity
  • T6222: VRRP rfc3768-compatibility not working correctly when resulting interface name is over 15 characters
  • T6241: Updating CRL in "pki" config does not update OpenVPN
  • T6243: Update vyos-http-api-tools for package idna security advisory
  • T6250: "policy route-map set table" cannot be deleted from the rule
  • T6252: GRE tunnels don't allow configuring MTU larger than 8024
  • T6255: Static table description should not contain white-space
  • T6263: Commit failures when trying to set an IGMP group with source address on an interface
  • T6269: Polixy route "set table" option is not working correctly
  • T6272: PPPoE configuration does not load after deleting a PPPoE interface from the system
  • T6276: Do not call config dependencies on script error
  • T6283: Cannot delete as-path prepend from policy when it contains more than one AS
  • T6284: IPoE server op mode commands do not show IPv6 addresses
  • T6299: Building VyOS (Dockerized) current ISO fails dues to unmet dependencies podman : Depends: libgpgme11t64 (>= 1.4.1) but it is not installable
  • T6305: IPoE interface wildcard validation error in firewall rules
  • T6307: procps is missing from vyos-1x build dependencies
  • T6317: VLAN doesn't work on a bridge with a wireless interface member
  • T6329: Firewall - Error while printing groups

Other resolved issues

  • T4516: Rewrite system image manipulation tools in Python
  • T5535: Move disable-directed-broadcast to firewall global-options
  • T6146: Add python script to get all priorities of service or section from XML
  • T6159: "show openvpn server" prints a superfluous "OpenVPN status on vtunx" message for every client connection
  • T6180: Add application of mask to configtree
  • T6185: Simplify marshalling of section and config data for config-sync
  • T6187: Use correct CPU counts adjusted for SMT when necessary
  • T6195: dropbear: package upgrade 2022.83-1 -> 2022.83-1+deb12u1
  • T6198: configverify: add common helper for PKI certificate validation
  • T6203: Remove references to the obsolete vyos.xml module (superseded by vyos.xml_ref)
  • T6208: container: rename "cap-add" CLI node to "capability"
  • T6234: PPPoE-server pado-delay refactoring
  • T6245: Unhandled exception in "show openvpn server"
  • T6295: netns: disable incomplete support in VyOS 1.4 sagitta
  • T6327: Drop boot console type ttyUSB (USB serial)
  • T6330: release.pref.chroot indentation broken
The post categories: