VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS 1.4.3 release

Daniil Baturin
Posted 17 Jul, 2025

Hello, Community!

Customers and holders of contributor subscriptions can now download VyOS 1.4.3 release images and the corresponding source tarball.

This release includes fixes for CVE-2024-3596 (BlastRADIUS) — a vulnerability in the RADIUS PAM module that made it possible (even if not easy) for an attacker capable of active MitM to forge a server response and log in to a vulnerable system without valid credentials. It also fixes over seventy bugs and adds a few new features. Those features include container improvements such as options to add custom container image registries, set name servers for containers, and allow running containers in privileged mode; an option to import routes from a non-default table into the system RIB; an option to explicitly configure traffic selectors for VTI tunnels, and more.

Removed support for GPG signatures

Until this release, we used to provide both GnuPG and Minisign signatures for every image. From now on, VyOS uses Minisign exclusively. This should not be a problem for anyone because Minisign signature verification has already been present in all releases for years. But if you see an unexpected verification error, you can solve that by updating your system to 1.4.2 first.

Changelog

Security

  • CVE-2024-3596 (BlastRADIUS) mitigations for pam_radius (T7285).
  • Remove io_uring support from the kernel (T7428).

New features and improvements

  • Add support for AMD pstate driver: set system option kernel amd-pstate-driver <active|passive|guided> (T6703).
  • Allow setting name server for containers: set container name <name> name-server <address> (T6927).
  • Add support for configuring container registry mirrors: set container registry <FQDN> [authentication username/password] (T7092).
  • Add support for privileged containers: set container name <name> privileged (T7412).
  • Route leaking using route-map: set protocols bgp address-family <AF> route-map vrf import <name> (T7157).
  • Add an option to filter show bgp ipv4/ipv6 vpn output by RD and prefix (T7227).
  • dhcp: support definition of custom DNS server for specific static mappings (T6993).
  • VPN IPsec add the ability to exclude IPv6 traffic selectors for VTI interfaces: set vpn ipsec site-to-site peer <peer> vti traffic-selector <local ... | remote ...> (T7343).
  • Add an option to import routes from a non-default table into the system RIB: set system ip import-table <num> [distance <num> | route-map <name>] (T7349).
  • Image update: confirm image name is available before accepting (T7359).
  • Add auto-ignore-prefix option for router advertisements (T7380).
  • Add system kernel option quiet to suppress boot messages (T7397).
  • Add missing BGP commands show * bgp neighbors * advertised-routes detail or show * bgp neighbors * received-routes detail (T7509).
  • Build package binaries script should exit if a package repository cannot be cloned for some reason (T7530).
  • Add an option to disable automatic IPv6 router advertisements for BGP routes: set protocols bgp parameters no-ipv6-auto-ra(T7531).

Bug fixes

  • Stray compiled Python objects break the VMware virtual machine resume script (T3681).
  • PKI import OpenVPN shared key includes unexpected BEGIN and END (T5744).
  • dhcp6c@pppoe0.service cannot stop gracefully when VyOS shutdowns (T6113).
  • Updating the system image without enough space for the files can break the system (T6144).
  • no-default-route not being honoured (T6253).
  • Autocomplete for "show arp interface" is missing non-ethernet interfaces (T6792).
  • System CA Not Updated with Configuration (T6809).
  • FRR config is lost upon daemon restart (T6963).
  • Issue with Configuration Migration from VyOS 1.3.8 to 1.4.1 (T6968).
  • dhcp: smoketests fail as IP address is not removed in time (T6972).
  • Allow configuring IPoE servers without a client IP pool if DHCP relay is used (T6997).
  • Boot failure after installing on RAID1 (T7049).
  • OpenVPN error : Unable to bind the tunnel interface to the bridge if misconfigured first (T7056).
  • Adding the community 'internet' throws an exception (T7116).
  • PKI: Unable to switch from custom cert to ACME when haproxy service is running with 'redirect-http-to-https' option (T7122).
  • "show qos shaper" doesn't work with VRFs (T7138).
  • Some sysctl options like nf_conntrack_buckets are different between a clean install and the first reboot (T7208).
  • NAT checking translation address is an expensive operation (T7237).
  • Wireguard: Traceback error received if the public-key starts with // (T7246).
  • certbot: When using ACME certificates, consuming daemons are not reloaded on update (T7249).
  • op-mode: not all groups are displayed correctly with `show firewall groups` (T7282).
  • VPN Openconnect does not check the dictionary key server with the authentication mode RADIUS (T7287).
  • VPN IPsec log level does not work (T7290).
  • Need commit validation for interfaces when mtu configured below 1280 (T7316).
  • wifi: mac80211_hwsim kernel module no longer supports VLAN interfaces in smoketests (T7325).
  • grub: "system option kernel" options are not honored after image upgrade (T7327).
  • FQDN resolver uses IPv4 cache for failed IPv6 resolution (T7333).
  • Haproxy mistake URL instead of the PATH in the description redirect-location (T7335).
  • isisd: Fix memory leaks when the transition of neighbor state from non-UP to DOWN (T7341).
  • netplug: PermissionError on fast interface changes (T7346).
  • Add an option to limit the number of threads for accel-ppp services (T7348).
  • Do not allow deleting interfaces referenced in flowtables (T7350).
  • netplug: behavior change 1.3.8 -> 1.4 when interface with DHCP address looses carrier (T7353).
  • netplug: DHCPv6 address is not cleared when interface is going to operational down (T7360).
  • Arguments of lb_config are not properly quoted (T7372).
  • IPv6 assigned address using SLAAC is not cleared when SLAAC is deconfigured (T7375).
  • Invalid sysctl configuration during startup causes IPv6 default route to be installed for DHCPv6 only interface (T7379).
  • Router advertisement duplicate prefix safeguard (T7389).
  • HTTPS API listens on all addresses after changing its listen-address (T7393).
  • Image upgrade fails when the "system option kernel" subtree is empty (T7394).
  • Update vyos-http-api-tools for package h11 security advisory (T7398).
  • smoketest: fix unbound variable issue when checking for VXLAN remote and group error (T7400).
  • smoketest: TypeError: VyOSUnitTestSHIM.TestCase.getFRRconfig() got an unexpected keyword argument 'substring' (T7401).
  • FRRouting Configuration Loss on Abnormal Service Restart (T7411).
  • Conntrack rule fails When Using Comma-Separated Ports (T7414).
  • QoS match TCP ACK not working (T7415).
  • vrf: config Migration failed 1.3.4--> 1.4.2 for static routes (T7417).
  • Add the missing kernel option CONFIG_PSAMPLE (T7437).
  • reboot/shutdown: unable to log in prior 5 minutes to planned reboot/shutdown time (T7443).
  • VPN IPsec unexpected passthrough logic bug (T7458).
  • Unable to load the config file when community attribute define with "replace" (T7460).
  • CoA is not applied to Accel-PPP services (T7463).
  • Bonding interface mode allows malformed variations of 802.3ad (T7466).
  • IPoE: Add stricter validation for giaddr if dhcp-relay is configured (T7472).
  • Modem connection code doesn't work (T7492).
  • Fix commit-confirm action 'reboot' (T7500).
  • Remove unnecessary PAT for docker image rebuild (T7501).
  • Table 254 is a default table and must not be used for VRF (T7506).
  • Fix default commit-confirm action (T7508).
  • OSPF NSSA translation error (T7510).
  • Unable to apply OpenConnect RADIUS accounting settings (T7511).
  • Container sysctl parameters with values containing spaces cause errors (T7532).
  • wwan: extend smoketests to cover WWAN driver option and hwsim (T7539).
  • pki: TypeError: argument of type 'NoneType' is not iterable when HAProxy is not in use (T7573).
  • Upgrade from 1.3.x to 1.4.2 or later fails due to an ISO image format change (T7610).
  • Deleting the TACACS server configuration raises an error (T7632).

Other resolved issues

  • Display the non-production banner depending on the build type (T7159).
  • Image build fails due to missing linux-tools package (T7253).
  • Remove support for GnuPG signatures (T7301).
  • Addition and deletion of allowed-vlans on a bridge member is slow (T7322).
  • Add vyos prefix to package names of RADIUS libs (T7336).
  • Build a compatible version of bash-completion from source (T7344).
  • Do not use Debian Buster repos in image build (T7345).
  • Console text remains white and bold after boot messages (T7356).
  • Use the reusable completion helper for the RADIUS dynamic authorization option in PPP/IPoE services (T7471).
  • Fix the typo in completion help for remote option in dhcp-server high-availability (T7559).
  • Pin iproute2 version 6.14.0-3~bpo12+1 for sagitta (T7519).
  • Add apply_patches option for the build packages script (T7342).

Thanks to all the team and all community members who contributed to this release!

 

 
The post categories: bgp ipsec release lts 1.4 containers

Comments

Blog Categories

RSS Feed arrow
See All Categories