FIRMWARE CHANGE HISTORY ----------------------- IBM Flex System Interconnect Fabric version 7.8.15.0 (Released September 2016) ** Changes since the 7.8.14.0 release ** Enhancements: none changes: none Fixes: - Switch would fail to generate SNMP traps when STP was not stabilized for default spanning tree group (STG 1) early on at bootup. (51622) - A crash would occur when uploading a configuration to the switch, where the configuration file was edited to remove the leading Tab from the commands under "vlan dot1q" menu. (12816/LV299681) - Switch could crash when processing SSL traffic received on the management interface. (50705) - Switch could crash upon Hotlinks failover/failback with a fully functional NPV or full-fabric configuration in the presence of ‘hotlinks fdb-update’ feature” (62032) - Password for tacacs users could not be changed from the switch using the "primary-password" command when the "tacacs-server password-change" feature is enabled. (63530) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2108.(ALIRT LEN-7502). (55174) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2016-3705, CVE-2016-3627, CVE-2015-8806, CVE-2016-4447, CVE-2016-4449, CVE-2016-4448 (libxml2). (57176, 55781, 58942, 58943) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.14.0 (Released June 2016) ** Changes since the 7.8.13.0 release ** Enhancements: none changes: none Fixes: - Incorrect port number is displayed in the warning message, when trying to enable UFP on a port via BBI, if vports are configured with a total minimum bandwidth that is less than 100% of port's bandwidth. (55172) - A warning message is incorrectly displayed when configuring UFP via BBI, on port when the total minimum bandwidth of the vports equals 100% of port's bandwidth. (54756) - Switch could crash when enabling HTTPS protocol, while the switch were trying to connect to the VSI Manager. (50435) - In a Stacked Configuration, switch would crash when trying to apply configuration using the NETCONF protocol. All access to the NETCONF protocol in stacked configurations, which is not supported, is now disabled. (50339,50353) - Packets with destination IP 127.x.x.x received by the switch could result in high CPU utilization leading to failure for the stack to initialize and converge. (50244) - Using Cisco ACS, version 5.3 and above, to authenticate users with TACACS protocol, could lead to the User Interface thread (SSHD,AGR,TNET,CONS) to be suspended forever, thereby denying any further authentication with the TACACS protocol. (LV307694/7383) - A crash would occur in stacked configuration upon fetching objects from the ufpInfoVportTable (.1.3.6.1.4.1.20301.2.5.17.2.6) when running multiple sessions of SNMP walk concurrently. (40518) - Server might lose access to upstream SAN fabric through an FCoE UFP channel upon a switch reboot in the presence of a high number of VLANs/Spanning Tree instances on the switch. (50483) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities XSS (stored cross-site scripting) and CSRF (cross-site request forgery). The web security policy mechanism HSTS (HTTP Strict Transport Security) has been implemented on BBI. (49409, 49427, 49471) - The switch’s browser based interface (BBI) would fail to honor the “cache-control=no-cache” directive and still cache the pages. The value of the “cache-control” directive has been changed from “no-cache” to “no-store”. (49475) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.13.0 (Released February 2016) ** Changes since the 7.8.12.0 release ** Enhancements: none Changes: - The output of “show tech-support” now includes the isCLI commands as headers before their respective output. (38125) Fixes: - UFP vPort status between Server NIC and Switch could be inconsistent after a server reboot. (45179) - Switch could crash when the server is configured with more than 4 UFP vNIC functions per port (switch only supports 4 vPorts). The switch will now shut down the vPorts when the mismatch occurs. (40296) - Storage paths established using FCOE, would be lost as new VLANs are added to the switch configuration during run time. (41493) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-7575 (SLOTH). (47856) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-3194,CVE-2015-3195. (46801) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.12.0 (Released October 2015) ** Changes since the 7.8.11.0 release ** Enhancements: none Changes: - The command "show flash-dump-uuencode" in the isCLI menu and its equivalent "/maint/uudmp" from the IBMNOS-CLI menu have been deprecated. The reference to use this command has been removed from the help tip that is posted upon user login if a flash-dump exists on the switch. (XB282980) Fixes: - The switch would fail to send ICMP TTL Exceeded messages back to the source when the incoming ICMP packet had a TTL of 1 with a destination address of the VRRP IP of the switch. As a side effect, Traceroute between devices would fail if the VRRP IP of the switch were one of th hops in the path. (LV311922) - A switch would hang upon watchdog timer expiry in a stacked setup, when the switch was either a member switch or a master switch with a backup configured. (XB300611) - Packets with the destination MAC address of the stack are processed by the member switch CPU instead of master switch CPU , after ip routing is enabled and disabled, causing network loops. (XB268308) - All packets received with a certain MAC address are flooded subsequent to receiving an IGMP Join/Leave on the stack member with the same MAC address as source MAC. (XB271036) - When using a stack, configuration changes such as enabling/disabling ‘ip routing,’ adding/removing an IP address could cause traffic to be CPU routed, instead of hardware routed. (LV312593) - In NPV Gateway mode, Enodes could fail to login through the switch when the uplink FC switch had the persistent FCID feature enabled. (LV311670) - FCOE connections would be lost when the /sbin/llddpnetmap script (utility from VMware vSphere) was run. The script was incorrectly causing the switch detect multiple peers causing DCBX to be out of sync. The connection would be restored after a shut/no shut of the affected ports. (XB300488,7400) - When configuring “qos bandwidth min” on an UFP port, the switch would incorrectly allow the sum of the minimum bandwidth to be less than 100%. (40181,40295) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-1788 (BN_GF2m_mod_inv), CVE-2015-1789 (X509_cmp_time) and CVE-2015-1792 (do_free_upto). (39415) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.11.0 (Released July 2015) ** Changes since the 7.8.10.0 release ** Enhancements: none Changes: - Additional Debug information has been added to the flash dump to gather internal timer information. (XB269085) Fixes: - FC port would send out FIP Advertisements despite FIPS being disabled on the port. Users will now be prevented from disabling FIPS and/or FCF mode on an FC port. (LV300602) - The mapping between local and remote ports is incorrect when using standard LLDP MIBs. The same is not true for private LLDP mibs (lldpInfoRemoteDevicesTable). (XB299432) - Configuration of an ipv6 Link Local Address as default gateway on management interface from the CMM would fail. (LV306988) - User configured ACLs would fail to drop subnet directed ping. (LV295376) - When using SSH the System notice was not being displayed before the login challenge phrase. (LV309949) - Inserting an unsupported transceiver could cause port link down to remain even after inserting a supported DAC cable. (LV310839) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-0286 (ASN1_TYPE_cmp). ================================================================================ IBM Flex System Interconnect Fabric version 7.8.10.0 (Released March 2015) ** Changes since the 7.8.8.0 release ** Enhancements: none Changes: - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3572, CVE-2015-0204, CVE-2014-8275,CVE-2014-3570. - Fixed security vulnerabilities as reported in CVE Advisories CVE-2014-0191 (libxml2) ,CVE-2013-2877(libxml2) ,CVE-2014-3660 (libxml2) , CVE-2013-2566(RC4 algo, TLS protocol) Fixes: - VLAG ports would stay in err-disabled state despite expiration of the Startup Delay Interval, if they were members of L2 failover group. (LV299952) - Switch would crash when it receives a gratitous ARP request for an IP address that was configured on the switch. (LV301785) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.8.0 (Released November 2014) ** Changes since the 7.8.7.0 release ** Enhancements: LACP Individual Mode -------------------- When this feature is enabled on an LACP port-channel, if a member port of the port-channel does not receive any LACPDU over a period of time, it will be treated as a normal port which may forward data traffic according to its STP state. Changes: none Fixes: - FCoE sessions could flap due to the High CPU Utilization caused by the software flooding of Clear Virtual Links packets with an unknown destination MAC in the FCoE VLAN. (LV296464) - Configuration changes could be denied with the error "Error: STP cannot be enabled on FC port .", if any vlan assigned to a fiber channel port is a member of a MSTP instance. (X294677) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.7.0 (Released September 2014) ** Changes since the 7.8.6.0 release ** Enhancements: none Changes: none Fixes: - Ports INTB1 & INTB2 would be disabled, when CMM failover occurs due to loss of physical connectivity on the active CMM link. (XB172285) - CMM could incorrectly report the switch to be offline for about 30 seconds at boot up, after failing to query switch information. A notificatin "communication offline" shows up on the CMM UI during this time, and is cleared once the CMM establishes communication to the switch. (XB268099) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509,CVE-2014-3510, CVE-2014-3511. (XB293143) - FCOE sessions would flap at random and the message "Could not read FC module temperature" would be logged due to deadlock on the I2C bus shared between Ehternet and Fiber Channel modules. (XB281638) - Receive FCS Errors would be reported on ports EXT1 and EXT2 when using 7m or longer passive DAC cables due to incorrect firmware settings.The "Receive FCS Error Frame Counter" would increase on these ports. (XB280713) - Changes to configuration are denied with the error "Error: Ports x and y have the same LACP admin key but different link settings (speed/duplex/flowcontrol).", when links x and y with dissimilar cables (i.e DAC and SFP+) are aggregated. (XB282364) - All FCOE FIP solicitation messages were tied to the lowest numbered port in the NPV Vlan, even when no FCF ports were online in the NPV Vlan. (XB290563) - A crash would occur after multiple failed attempts to login via SSH or BBI, if secure-backdoor is enabled and the configured remote RADIUS/TACACS authentication servers can be reached . (XB293746,XB292790) - Secure-backdoor access to the switch fails via SSH, when configured remote RADIUS/TACACS authentication servers can be reached. (XB293743,XB294261) - Secure-backdoor and backdoor access to the switch via SSH, fails to prompt for username. (XB292116,XB293076) - Saved IP Gateway configuration is lost upon reload or upon issuing "copy" commands when associated IP interface is deleted. (XB274331) - A crash would occur when hotlinks active interface is disabled and enabled in quick succession. (XB278024) - Executing "copy tech-support" family of commands could result in instability in the stack and cause FCOE sessions to flap. (XB274963,XB274963) - The internal/external controlled ports from all units other than the master remain down post reload, in a L2 Failover AMON/MMON scenario. (XB275310,XB277583,XB277982) - Changes to configuration are denied with the error "Error Ports ... have the same LACP admin key but different STP edge settings" after a non-existing VLAN is added to a port , if LACP and STP edge/portfast are both enabled on the port. (XB282083) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.6.0 (Released July 2014) ** Changes since the 7.8.5.0 release ** Enhancements: None Changes: - Internal debug usernames have been removed from the firmware to prevent potential backdoor access. (XB282666) Fixes: None ================================================================================ IBM Flex System Interconnect Fabric version 7.8.5.0 (Released June 2014) ** Changes since the 7.8.4.0 release ** Enhancements: None Changes : - A security vulnerability existed in the OpenSSL Protocol that is used in IBM System Networking Ethernet Switches. (CVE-2014-0224) Fixes : None ======================================================================================== IBM Flex System Interconnect Fabric version 7.8.4.0 (Released June 2014) Initial Release of IBM Flex System SI Fabric.