1.1.0 PPTP bug

Our user reported a PPTP bug in 1.1.0: options.pptpd is not generated correctly with default options. The symptoms are: PPTP does not work at all.

This is the result of a typo in the code for required authentication protocol options, it will be fixed in the next maintenance release.

Fortunately, the workaround is trivial: set the required authentication protocol manually. Most commonly:

set vpn pptp remote-access authentication require mschap-v2

Thanks Sergey and Antonio for help with finding the bug!

VyOS 1.0.5 is available on the AWS marketplace

Amazon Web Services team updated the VyOS AMI marketplace listing with the 1.0.5 security release.

It will probably take a while to create a listing for 1.1.0, but you still can launch it from the community AMIs.

Bugzilla maintenance complete

Let us know if you spot any problems.

Bugzilla maintenance at 22:00 UTC

When

22:00 to approx 23:00 UTC

What

http://bugzilla.vyos.net will be inaccessible.

Why

Software update

VyOS 1.1.0 AMI

I’ve submitted the 1.1.0 AMI to the AWS marketplace team for review today, but due to all the AMI updates they have to do due to shellshock it may take up to several weeks for them to process the request.

If you are eager to deploy an 1.1.0 instance, you may try launching it from community AMIs by its id: ami-f4338f9c

Remember that existing 1.0.x instances can be updated to 1.1.0 by using the usual “add system image” command (choose the amd64 image).

1.1.0 release

1.1.0 release is now available for download from http://packages.vyos.net/iso/release/1.1.0/, and from the mirrors once they sync.

Detailed information about this release can be found in release notes.

Read More

Helium is frozen

Helium branch is now frozen. If you have any code you want to merge, please wait until we set up a new branch.

I’ll be making release repos, updating changelogs and doing the rest of the annoying work for release and then roll out 1.1.0 images.

There are some things that are still far from perfect, some bugs were rescheduled, some incomplete fixes were reverted and so on, but this release is already pretty late and some people are just using nightly builds or the beta in production, so probably it’s time to draw a line here and call it 1.1.0.

1.1.0 preview image update

Those who are using 1.1.0-beta can install an updated image from the build system that includes updates for the shellshock vulnerability.

I didn’t do detailed testing, so use your judgement and try the config on a test VM if you are using it on something else than lab routers.

1.0.5 security release

1.0.5 release images are available for download from packages.vyos.net, and soon will be available from mirrors when they sync.

TrustedSec demonstrated a successfull attack on dhclient that used the shellshock vulnerability for remote code execution, so it ceased to be just a good excuse to make a maintenance release, and making a fix as soon as possible became the primary objective.

This release included only security fixes. Both shellshock vulnerabilities were patches, along with a number of less known and less exploitable ones, you can see the full list in release notes.

1.1.0 beta release is still vulnerable. Security updates will be pulled into the development repos soon and included in the upcoming 1.1.0 release.

bash and apt vulnerabilities

Recently discovered vulnerabilities in bash and APT are low risk for VyOS, since it doesn’t use CGI scripts written in bash and APT is not normally used for upgrades, but we will release an updated 1.0.x image nonetheless and include the fixes in upcoming 1.1.0 release as well.

1.0.x maintenance release will likely include some backwards-compatible fixes from 1.1.0 too.