FIRMWARE CHANGE HISTORY ----------------------- Lenovo RackSwitch G8296 Version 8.2.6.0 (Released May 2016) ** changes since 8.2.5.0 ** Enhancements: - Extend the ability to support BiDi 40G transceiver. (51118) - Extend the ability to configure syslog server port from the switch user interfaces. (50898) - Extend the ability to configure the attribute "username" for MS-AD LDAP. (54981) Changes: none Fixes: - The switch would fail to send ICMP TTL Exceeded messages back to the source when the incoming ICMP packet had a TTL of 1 with a destination address of the VRRP IP of the switch. As a side effect, Traceroute between devices would fail if the VRRP IP of the switch were one of th hops in the path. (LV311922) - Server might lose access to upstream SAN fabric through an FCoE UFP channel upon a switch reboot in the presence of a high number of VLANs/Spanning Tree instances on the switch. (50483) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities XSS (stored cross-site scripting) and CSRF (cross-site request forgery). The web security policy mechanism HSTS (HTTP Strict Transport Security) has been implemented on BBI. (49409, 49427, 49471) - The switch’s browser based interface (BBI) would fail to honor the “cache-control=no-cache” directive and still cache the pages. The value of the “cache-control” directive has been changed from “no-cache” to “no-store”. (49475) - A warning message is incorrectly displayed when configuring UFP via BBI, on port when the total minimum bandwidth of the vports equals 100% of port's bandwidth. (54756) - Incorrect port number is displayed in the warning message, when trying to enable UFP on a port via BBI, if vports are configured with a total minimum bandwidth that is less than 100% of port's bandwidth. (55172) - "show access-control group " would not include ACL IPV6 128 in the output, even if it were part of the ACL group. (49858) - "show ldap-server" command displays secondary server IP for current LDAP server instead of the primary. (55372) - Switch could crash when enabling HTTPS protocol, while the switch were trying to connect to the VSI Manager. (50435) - A crash could occur when generating tech support dump via SNMP if vmprofile were configured on the switch. (51222) - A crash would occur when the switch is trying to authenticate users using LDAP, where the user group from the LDAP server is wrongly configured with an unsupported object class. (47394) - If the switch were booted directly from USB the image signature would not be verified. The image signature would also not be verified if the image were copied to the switch flash from USB using the CLI command “usbcopy fromusb” or its equivalent using SNMP or BBI. (55780,54813) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2015-8710 (libxml2). (49214) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-7575 (SLOTH). (47856) ================================================================================ Lenovo RackSwitch G8296 Version 8.2.5.0 (Released February 2016) ** changes since 8.2.4.0 ** Enhancements: - This enhancement allows VRRP to work in two ways under vLAG topology Full Active‐Active: both vLAGs perform L3 traffic routing for the related VRRP domain. Half Active‐Active: one vLAG performs L3 traffic routing while the second one manages L2 forwarding for the related VRRP domain. (42955) Changes: none Fixes: - When the reset button is pressed, it could interrupt an I2C transaction and lock up the I2C bus leading to a hang in the desired switch reset. A fix was added to prevent this sequence of events occurring. (43168) - The hwMTM variable is added to the SNMP MIB to allow reading of the Machine Type Model of the switch. (44107) - Switch could crash when the server is configured with more than 4 UFP vNIC functions per port (switch only supports 4 vPorts). The switch will now shut down the vPorts when the mismatch occurs. (40296) - Using Cisco ACS, version 5.3 and above, to authenticate users with TACACS protocol, could lead to the User Interface thread (SSHD,AGR,TNET,CONS) to be suspended forever, thereby denying any further authentication with the TACACS protocol. (LV307694/7383) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-3194,CVE-2015-3195. (46801) - Applying switch configuration having OSPF commands, could fail with the message “Routed Port Interface corresponding area (index) 0 is not enabled”, when pasting from a serial session. (7071) ================================================================================ Lenovo RackSwitch G8296 Version 8.2.4.0 (Released October 2015) ** changes since 8.2.1.0 ** Enhancements: none Changes: - The object sFlowVersion (1.3.6.1.4.1.14706.1.1.1.0) returned IBM in the Organization clause instead of Hitachi. (LV301941) - The Protocols SSH and SLP (Service Layer Protocol) are enabled by default on the switch. (38987,10224) - The command "show flash-dump-uuencode" in the isCLI menu and its equivalent "/maint/uudmp" from the IBMNOS-CLI menu have been deprecated. The reference to use this command has been removed from the help tip that is posted upon user login if a flash-dump exists on the switch. (XB282980) - Extended the ability to support Dual Speed 1/10G MMF SFP+ Transceivers. (LV311542,LV311078,LV312616) Fixes: - The user is incorrectly prompted for "setup configuration" upon login even though configuration had been applied and saved, and the startup configuration block was set to active. (39158) - When configuring “qos bandwidth min” on an UFP port, the switch would incorrectly allow the sum of the minimum bandwidth to be less than 100%. (40181,40295) - The output of “show tech-support” now includes the isCLI commands as headers before their respective output. (38125) - If the serial number of the switch was changed, the user was prevented from successfully installing a new image, and the message “image contains invalid signature” would be displayed. (40638) - Multicast DA (Directory Agent) Advertisements received on the Management ports are accounted as Unicast Advertisements. (41080) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-1788 (BN_GF2m_mod_inv),CVE-2015-1789 (X509_cmp_time) and CVE-2015-1792 (do_free_upto). (39415) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2015-4000(Logjam, TLS protocol) // red releases only (LV311132) ================================================================================ Lenovo RackSwitch G8296 Version 8.2.1.0 (Released June 2015) Initial Release.