[cisco-voip] glibc/ghost vulnerability

Ryan LaFountain (rlafount) rlafount at cisco.com
Wed Jul 29 08:50:15 EDT 2015


Hi Charles,

This is currently resolved in 11.0(1) only. Since we're still prior to FCS for 11.0, we haven't populated the 'Fixed Releases' Bug Search Tool field yet. We will populate this with the FCS version of 11.0 when we know what specific build / version that will be :)

Thank you,

Ryan LaFountain
Unified Contact Center
Cisco Services
Direct: +1 919 392 9898
Hours: M - F 9:00am - 5:00pm Eastern Time

From: "Wes Sisk (wsisk)"
Date: Tuesday, July 28, 2015 at 12:32 PM
To: Charles Goldsmith, Ryan LaFountain
Cc: voip puck
Subject: Re: [cisco-voip] glibc/ghost vulnerability

The update that happened on the 20th was an internal system update. Basically a change happened on a case that was linked to the bug. This tickled the ‘last-update’ date of the bug.

As far as fixed versions - I’ll look to Ryan on how/when UCCX populates Integrated-releases field.

-Wes

On Jul 27, 2015, at 9:39 AM, Charles Goldsmith <wokka at justfamily.org<mailto:wokka at justfamily.org>> wrote:

Ryan/Wes, one last followup question, https://tools.cisco.com/bugsearch/bug/CSCus68524 shows that it was updated on the 20th, but I don't see a change, other than it may say fixed now (don't remember before), but it does not show what changed.

Also, of note, since it does say it's fixed, there are 0 fixed versions out.  Can we get some clarification on it?

Thanks


On Fri, Jul 10, 2015 at 5:57 PM, Ryan LaFountain (rlafount) <rlafount at cisco.com<mailto:rlafount at cisco.com>> wrote:
To add to what Wes said:

If you have other UCC products that run on VOS (Finesse, SocialMiner, MediaSense, CUIC) you'll see further differences between underlying VOS versions between them, UCCX and CUCM. This causes not only a lot of confusion in tracking bug fixes in the platform between products but delay in integrating fixes like these as Wes has described below.

We are working to address this. The first part is in better tracking of bug fixes and security issues in the platform and between products. The second part is moving to a common underlying platform version and build process for most UCC products. This will greatly speed up our fix inclusion and standardize the underlying VOS version in many of our applications leading to greater consistency and stability. Without exposing too much more, we should see this common VOS in UCC system release 11.0.

HTH.

Thank you,

Ryan LaFountain
Unified Contact Center
Cisco Services
Direct: +1 919 392 9898<tel:%2B1%20919%20392%209898>
Hours: M - F 9:00am - 5:00pm Eastern Time

From: cisco-voip on behalf of Charles Goldsmith
Date: Friday, July 10, 2015 at 5:21 PM
To: "Wes Sisk (wsisk)"
Cc: voip puck
Subject: Re: [cisco-voip] glibc/ghost vulnerability

Gotcha, thanks for the explanation Wes, that's what I was looking for and can explain it to the customer.  I'll let the customer know of the risks and let them make the decision to upgrade or wait for a minor patch.

Thanks!

On Fri, Jul 10, 2015 at 1:58 PM, Wes Sisk (wsisk) <wsisk at cisco.com<mailto:wsisk at cisco.com>> wrote:
I’ll lead off with: UCCX does a fair amount of work to customize the VOS platform to their needs. As such they don’t pull in updates and fixes as fast as UCM, UC, and CUP.

I bet if you check the kernel or RHEL version you will find significant difference and that contributes to the complexity of the fix.
admin:show packages active kernel
Active Side Package(s): for kernel package(s)
kernel-firmware-2.6.32-431.20.3.el6.noarch
kernel-2.6.32-431.20.3.el6.x86_64
platform-kernel-tunable-1.0.0.0-1.i386
dracut-kernel-004-336.el6_5.1.noarch

RyanL may weigh in with better details.

-w

On Jul 10, 2015, at 11:41 AM, Charles Goldsmith <wokka at justfamily.org<mailto:wokka at justfamily.org>> wrote:

I understand that CUCM and UCCX are both VOS, and that it's probably not the same version, but I don't understand why the platform team for CUCM can give us a minor patch but we can't get the same out of UCCX.

I'm sure most of you are like me, and steer clear of .0 releases.  There is an old saying, dot Oh, oh no.

I'm not comfortable advising a customer to upgrade to the 11.0 release.

Would like thoughts on this, and some explanation of the differences of the VOS between CUCM/CUC and UCCX.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150729/1a593d79/attachment.html>


More information about the cisco-voip mailing list