> Hi,
>
> It would be much more helpful if Cisco would publish their advisory
> quickly now, now that the CERT advisory is out - especially clarifying
> which configurations are vulnerable and which ones are not (like "if
> you do not have 'snmp-server host ...' statements, and if you only use
> 'snmp-server community' with ACLs, you are not vulnerable" - if that's
> the way it is).
>
> Upgrading a large production network on the basis of nebulous "it would be
> better to upgrade, you'll see!" is not good advice.
>
Gert,
I sympathise with your point of view, but I think its hard to be
in Cisco's place were you have to balance a mass panic/attack against
letting some key networks/infrastructure deal with the issue before release.
You asked questions, people answered based upon what they could
say under various non-disclosure agreements and under the treat of being
the idiot that release the info to the public before anyone was
ready. My hats of to you for noticing it though :-).
In my view Cisco handled this very well, much better than other vendors,
although it would be nice if we had non-buggy code :-).
Regards,
Neil.
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:04 EDT