FIRMWARE CHANGE HISTORY ----------------------- Lenovo RackSwitch G8052, Stack Version 8.3.5.0 (Released May 2016) ** Changes since the 8.3.4.0 release ** Enhancements: - Extend the ability to configure syslog server port from the switch user interfaces. (50898) Changes: none Fixes: - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities XSS (stored cross-site scripting) and CSRF (cross-site request forgery). The web security policy mechanism HSTS (HTTP Strict Transport Security) has been implemented on BBI. (49409, 49427, 49471) - Switch session could hang when the command "copy tech-support tftp" is issued in a stacked environment with a large switch configuration. Commands such as 'reload' would fail to execute with an error "Image loading or apply command is in progress" from a parallel session. (48253) - The switch’s browser based interface (BBI) would fail to honor the “cache-control=no-cache” directive and still cache the pages. The value of the “cache-control” directive has been changed from “no-cache” to “no-store”. (49475) - In a Stacked Configuration, switch would crash when trying to apply configuration using the NETCONF protocol. All access to the NETCONF protocol in stacked configurations, which is not supported, is now disabled. (50339, 50353) - Switch could crash when enabling HTTPS protocol, while the switch were trying to connect to the VSI Manager. (50435) - Post failover in a stacked setup with a configured master, after issuing the commands ip routing, no ip routing and clear arp, hosts directly connected to master fail to ping hosts directly connected to backup. (44877) - Packets with destination IP 127.x.x.x received by the switch could result in high CPU utilization leading to failure for the stack to initialize and converge. (50244) - A crash could occur when generating tech support dump via SNMP if vmprofile were configured on the switch. (51222) - A crash would occur when the switch is trying to authenticate users using LDAP, where the user group from the LDAP server is wrongly configured with an unsupported object class. (47394) - "show access-control group " would not include ACL IPV6 128 in the output, even if it were part of the ACL group. (49858) - "show ldap-server" command displays secondary server IP for current LDAP server instead of the primary. (55372) - Switch would fail to upload the tech support dump through SNMP with the tftp option. In addition, “Bad file ID 0" messages would be displayed on the console. (51195) - If the switch were booted directly from USB the image signature would not be verified. The image signature would also not be verified if the image were copied to the switch flash from USB using the CLI command “usbcopy fromusb” or its equivalent using SNMP or BBI. (55780,54813) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2015-8710 (libxml2). (49214) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-7575 (SLOTH). (47856) ===================================================================================== Lenovo RackSwitch G8052, Stack Version 8.3.4.0 (Released February 2016) ** Changes since the 8.3.3.0 release ** Enhancements: - Extended the ability to support Dual Speed 1/10G MMF SFP+ Transceivers on Stacking. (LV311542,LV311078,LV312616) Changes: none Fixes: - When the reset button is pressed, it could interrupt an I2C transaction and lock up the I2C bus leading to a hang in the desired switch reset. A fix was added to prevent this sequence of events occurring. (43168) - Using Cisco ACS, version 5.3 and above, to authenticate users with TACACS protocol, could lead to the User Interface thread (SSHD,AGR,TNET,CONS) to be suspended forever, thereby denying any further authentication with the TACACS protocol. (LV307694/7383) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-3194,CVE-2015-3195. (46801) ===================================================================================== Lenovo RackSwitch G8052, Stack Version 8.3.3.0 (Released October 2015) ** Changes since the 8.3.2.0 release ** Enhancements: - Added support for Multiple Spanning Tree Protocol (802.1s) protocol in stacked configuration. (38431) - Added vLAG Peer Gateway functionality which allows a vLAG switch to act as the active gateway for packets that are addressed to the router MAC address of the vLAG peer. (7390) Changes: - The Protocols, SSH and SLP (Service Layer Protocol) is enabled by default on the switch. (38987,10224) - The output of “show tech-support” now includes the isCLI commands as headers before their respective output. (38125) - The command "show flash-dump-uuencode" in the isCLI menu and its equivalent "/maint/uudmp" from the IBMNOS-CLI menu have been deprecated. The reference to use this command has been removed from the help tip that is posted upon user login if a flash-dump exists on the switch. (XB282980) Fixes: - The user is incorrectly prompted for "setup configuration" upon login even though configuration had been applied and saved, and the startup configuration block was set to active. (39158) - If the serial number of the switch was changed, the user was prevented from successfully installing a new image, and the message “image contains invalid signature” would be displayed. (40638) - Multicast DA (Directory Agent) Advertisements received on the Management ports are accounted as Unicast Advertisements. (41080) - The switch would fail to send ICMP TTL Exceeded messages back to the source when the incoming ICMP packet had a TTL of 1 with a destination address of the VRRP IP of the switch. As a side effect, Traceroute between devices would fail if the VRRP IP of the switch were one of th hops in the path. (LV311922) - When using a stack, configuration changes such as enabling/disabling ‘ip routing,’ adding/removing an IP address could cause traffic to be CPU routed, instead of hardware routed. (LV312593) - A switch would hang upon watchdog timer expiry in a stacked setup, when the switch was either a member switch or a master switch with a backup configured. (XB300611) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-1788 (BN_GF2m_mod_inv), CVE-2015-1789 (X509_cmp_time) and CVE-2015-1792 (do_free_upto). (39415) ===================================================================================== Lenovo RackSwitch G8052 Stack Version 8.3.2.0 (Released July 2015) ** Changes since the 8.3.1.0 release ** Enhancements: none Changes: none Fixes: - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-0286 (ASN1_TYPE_cmp). ===================================================================================== Lenovo RackSwitch G8052 Stack Version 8.3.1.0 Initial Release.