[cisco-voip] glibc/ghost vulnerability

Charles Goldsmith wokka at justfamily.org
Fri Jul 10 11:41:50 EDT 2015


I have a customer that is tracking the progress on updates for this bug,
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost
and most of our voice apps have updates, except for UCCX.  One of their
customers, big bank, audits their progress on security updates and ghost is
on their radar, so they have pressure from a customer to update all apps.

Customer is currently on 8.6 cucm / 8.5 uccx and we have plans to upgrade
them, but waiting on the ghost fix.  CUCM, CUC, IM&P/CUPS all have
published fixes and most are just minor ES type updates.

UCCX is showing that the only fix is going to be in 11, and I opened a TAC
case to ask about this.  I'm told that this is a platform fix
(understandable), and it would only a major upgrade, not a cop.

I understand that CUCM and UCCX are both VOS, and that it's probably not
the same version, but I don't understand why the platform team for CUCM can
give us a minor patch but we can't get the same out of UCCX.

I'm sure most of you are like me, and steer clear of .0 releases.  There is
an old saying, dot Oh, oh no.

I'm not comfortable advising a customer to upgrade to the 11.0 release.

Would like thoughts on this, and some explanation of the differences of the
VOS between CUCM/CUC and UCCX.

Thanks!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150710/b317f41b/attachment.html>


More information about the cisco-voip mailing list