Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cisco Security Advisory Versions

Hi,

 

I have a few questions regarding the versions released in the Cisco security advisories.

I'm looking over the affected products here: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

The affected/fix releases for Nexus 7000 switches are here: https://tools.cisco.com/bugsearch/bug/CSCuq98748

My questions are outlined below:

  1. The whitepaper here: http://www.cisco.com/web/about/security/intelligence/ios-ref.html, specifies that NX-OS versions on Nexus 7000 switches are in the format X.Y(Z). The last 2 affected releases are not in this format. Is there somewhere that more accurately outlines the version scheme for NX-OS?
  2. The platform dependent maintenance release number is shown as an integer in the white paper above. What is the significance of the decimal in the advisory releases?
  3. There are many more fix releases than affected releases. Why is this?
  4. If a fix release is listed, does that mean that platform stream has affected releases? If so, how do you determine which releases are affected?

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Hiunfortunately I have just

Hi

unfortunately I have just one answer and some new questions...

The answer regards question #2, about the decimal.

The decimal is given to "interim" releases. These releases are internal on Cisco and are not usually published on CCO (unless they are requested via a Service Request or special file access). For the "official" fix one should always look for the release with the first integer that follows the interim number.

Now for my question.

On the Bug Notes I read "All current versions of NX-OS on this platform are affected unless otherwise stated". Then on the "Known Affected Releases" only 8 are shown. I see two options to decode this two pieces of info:

A. ALL releases older that the 8 listed are vulnerable

B. Only the 8 listed are vulnerable

C. Only the 15 "Known fixed" or others more recent than those 15 are non vulnerable.

 

By just reading the case notes I cannot conclude for sure if a given release (as 6.2(2) for example) is vulnerable or not. Can someone from Cisco clear this?

Thanks and Regards

 

2 REPLIES
Community Member

Hiunfortunately I have just

Hi

unfortunately I have just one answer and some new questions...

The answer regards question #2, about the decimal.

The decimal is given to "interim" releases. These releases are internal on Cisco and are not usually published on CCO (unless they are requested via a Service Request or special file access). For the "official" fix one should always look for the release with the first integer that follows the interim number.

Now for my question.

On the Bug Notes I read "All current versions of NX-OS on this platform are affected unless otherwise stated". Then on the "Known Affected Releases" only 8 are shown. I see two options to decode this two pieces of info:

A. ALL releases older that the 8 listed are vulnerable

B. Only the 8 listed are vulnerable

C. Only the 15 "Known fixed" or others more recent than those 15 are non vulnerable.

 

By just reading the case notes I cannot conclude for sure if a given release (as 6.2(2) for example) is vulnerable or not. Can someone from Cisco clear this?

Thanks and Regards

 

Purple

   I have those same

   I have those same questions.  Also the "fixed" releases are not in the general download section for the Nexus so how do you download those versions? we are running 6.2.2 also for the 7000's.   Do you have to open a TAC case just to get the "fixed" releases ?  Also for Nexus 5000 there is  "0" fixed versions as of right now , when will those be available ?

166
Views
5
Helpful
2
Replies
CreatePlease to create content