[cisco-voip] Appliance OS patch info & is CM susceptible to CVE-2009-0040 ???

paul dial dialp at ucar.edu
Thu Apr 23 10:20:55 EDT 2009


I'm hoping someone can shed some light on obtaining OS update
information for the appliance model.  Not to long ago we moved from
4.1.3 to 6.1.2 (and we've since upgraded to 6.1(3b)SU1).  With windows
as the OS, Cisco would provide Cisco scrubbed versions of the monthly
windows patches and it was pretty clear what was being patched and the
vulnerability being addressed.

With the appliance model, my understanding is that the OS and
Application updates both take place when applying service updates.
Again, I believe Cisco is providing Cisco scrubbed updates to the OS.
I'm not able to find any documentation similar to what was provided with
the windows patches.  I have no idea what was patched or the
vulnerability being addressed.  I've looked thru some of the release
notes for Engineering Specials and Service Updates, but was not able to
find any OS related information.

Can someone please confirm that OS updates are included in service
updates and or engineering specials.

Does anyone know where to find information on OS patches for the
appliance model?

Another related concern:  I frequently get alerts from our security
team, some of which contain vulnerabilities or exploits for redhat
packages that are part of the base release used for CM.  As an example,
at the end of Feb '09 I received information about a vulnerability for
'libpng':

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0040

Running 'show packages active' on CM 6.1(3b)SU1 shows this:

admin:show packages active libpng
Active Side Package(s): for libpng package(s)
libpng-1.2.2-25

Based on CVE-2009-0040, I believe this version is susceptible to the
vulnerability, but I'm not sure how to confirm or if it has been fixed?

Granted, this is somewhat after the fact, but when these alerts are
first announced, how does one find out if:

1) Cisco has already addressed the issue and what patch contains the fix.
2) Cisco is aware of the vulnerability but it does not affect CM
3) Cisco is working on fix

I've checked my PAT profile and I have security advisory, notice, and
response selected for Communication Manager. Most of these announcements
appear to be application related as opposed to OS.

Thanks,

-- Paul




More information about the cisco-voip mailing list