4

I've run across this cisco advisory

It says:

This bug was introduced in Cisco IOS XR Software release 3.6.2 and is fixed with SMU hfr-k9sec-3.6.2.CSCtd74795. The SMU ID for this fix in 3.6.2 is AA03656. This vulnerability has been fixed in 3.8.3, 3.9.1, and 4.0.0 for customers running later software versions. Software version 3.7 is not affected by this vulnerability.

I'm trying to figure out something, according to this, 3.6.2 is vulnerable unless fixed with the mentioned SMU.

What about versions such as:

  • 3.6.1
  • 3.6.0
  • 3.5.4 and earlier... are they also vulnerable?

Also, it says it was fixed in 3.8.3 and 3.9.1, why do they also mention 3.9.1, isnt 3.9.1 > 3.8.3 so its obvious that it is also fixed in 3.9.1?

Bart De Vos
  • 17,911
  • 6
  • 63
  • 82
soulSurfer2010
  • 307
  • 4
  • 10

1 Answers1

2

You are asking a reasonable question. The first thing to understand is that Cisco's software development often happens in parallel branches1, with respect to where features are committed.

In this case, a developer simultaneously committed vulnerable code into 3.6.2 and 3.7.1; that vulnerable code escaped Q/A testing and was released on CCO. All software released in those branches after2 3.6.2 and 3.7.1 was vulnerable3 until the fix was committed simultaneously into 3.8.3, 3.9.1 and 4.0.0

END-NOTES:

  1. See Jeff Atwood's blog Coding Horror: Software Branching and Parrallel Universes
  2. Versions 3.5.4, 3.6.0, 3.6.1 should not be vulnerable as they were not mentioned in the notification
  3. Versions 3.8.0, 3.8.1, 3.8.2, and 3.9.0 also contain the vulnerable code
Mike Pennington
  • 8,305
  • 9
  • 44
  • 87