@syncer can we close this task? see @higebu fix..

falso fixed in 1.1.8

changes cherry-picked to lithium branch

@syncer: Thinking about it I have a different proposal:

Just added Finished Board for 1.2.x project
we likely will keep all there before include it in some milestone release

Tag VyOS 1.2.x should be removed as CVE is already fixed.

maybe we can use something like | not-strip-private
for cases when dump should contain all info

strip-private is a bash-pipe function (/etc/bash_completion.d/vyatta-op).

@UnicronNL can we fix and include this in 1.1.8 ?

@dmbaturin can you merge this pull request?

@EwaldvanGeffen confirmed that fix was done for 1.1.x
@dmbaturin can you merge it and introduce in 1.1.8 ?

Can you check this @dmbaturin @UnicronNL

VyOS 1.1.7 also has two interfaces (vti0 and ip_vti0)

@syncer https://github.com/vyos/vyatta-cfg-quagga/pull/15

Using VyOS 999.201708292137 I'm able to reproduce this.

reproducible like that

@c-po try to delete upper node

I double checked with VyOS 1.1.7 where I can not reproduce the error. Is version 1.1.7 correct in this BUG report?

@c-po I don't have any of that in my configuration any longer. As I said in my last comment, I found a work-around to delete the bit that was causing the problem. I ended up not using vti interfaces in my system.

@ethomas could you please provide a full configuration for my tests? The only thing I see is:

I'll start an investigation after T345.

Ok

@c-po do you want to pick up this?
Basically we need to filter out private info by default
currently it possible to do via

Hey Christian,
assigning it to you

Fine!

Fine.

Fixed in Kernel 4.4.26. VyOS 1.2.x (development) uses 4.4.47.

@EwaldvanGeffen pointed another issue in T329
.bash_history content also must be processed (private info must be stripped) before it included

Well is part of show tech-support, output of which must be reviewed,
but i agree

@syncer not in the config dump, in the bash-history that's included.

@EwaldvanGeffen see T328

I just noticed your pastes. We need to filter out the set password commands as they will contain plaintext passwords. This could be solved by making the command interactive (it asks for the password to be typed in) similarly to other platforms. There might be other stuff that requires filtering-out history or refactoring.

We need to change default behaviour and enable strip-private by default
add key not-strip-private for cases when complete dump required

Fix for 1.1.8: https://github.com/vyos/vyos-kernel/commit/ee76a91c5468452a37dda9dd9133acc83014e95b

Fix for 1.1.8: https://github.com/vyos/vyos-kernel/commit/b080c57a1f0f005e0b6c20de67fc0add4d4a3294

this one is simple,
Kim please check

Fix for 1.1.8: https://github.com/vyos/vyos-open-vm-tools/commit/c149ffb6127f52653d9ee90883fa48608a5936ec

As this already merged, moving this to backlog for 1.1.8

Another good candidate for 1.1.8,
@UnicronNL @dmbaturin can you confirm and move to backlog

Please confirm that i can move this to 1.1.8 backlog

@EwaldvanGeffen can this patch go to 1.1.8?

Another CVE considered for 1.1.8

As this was merged, moving it to 1.1.8 backlog

Please check when you have time for 1.1.8

@dmbaturin @UnicronNL
any idea why this can happen,
as per report both current and stable affected

@dmbaturin confirmed that it can be included in 1.1.8

Added to 1.1.8 backlog

@UnicronNL @dmbaturin is something that is acceptable for 1.1.8 or should i move it to 1.2.x wish list instead?

I move this to backlog as it seems to be merged already

@UnicronNL can you add this fix

Assigned to Kim

@higebu lets change OS to Debian6 (so we can assign VMXNET3)
and set VMXNET3 adapter by default

We need to include that in 1.1.8