[c-nsp] Cisco Security Advisory: Cisco IOS Software Tunnels Vulnerability

Jared Mauch jared at puck.nether.net
Thu Sep 24 10:01:10 EDT 2009

(psirt alias removed)

On Sep 24, 2009, at 3:26 AM, Gert Doering wrote:

> Hi,
> On Wed, Sep 23, 2009 at 08:11:28PM -0700, Bill Blackford wrote:
>> Sorry to reply to my own post. Someone on the list contacted me
>> off-list to point out that this does *not* include the "12.2.S"  
>> release.
> Well, since there *is no* other IOS than 12.2 SR / 12.2 SX for the
> Cat 6.5 / 7.6 boxes, it would be somewhat difficult to move to 12.4  
> here...

	The "end" of 12.2 Mainline does not impact the subtree SR/SX software  
trains.  These continue to live-on for bugfixes.

>> I apologize to the group.
> I can certainly understand the confusion caused by the IOS train  
> splits...

It's hard to understand, Cisco is a product company with hundreds of  
solutions and software sets that are tied to a platform, which have  
lineage to some long-dead train. This is the culture that has been  
created to ship a solution when a customer demands instead of when  
some engineering criteria has been met.

The balance is certainly tipped in favor of cisco collecting $ vs  
providing a quality product, I've watched this play out many times.  
This doesn't mean that PSIRT and other teams are not trying to do the  
right thing, just that the pull of revenue is strong. PSIRT is one of  
the best teams at cisco since they have the power to do the right  
thing, so please don't shoot the messenger :)

- Jared

More information about the cisco-nsp mailing list