Hi, Thanks for your reply.

Christian M · ‎02-18-2016

Hello,

I wonder about the fixed code version statement in regards to bug CSCut14223: It's stated that 9.1 is affected, where 9.1.6.7 and 9.1.6.99 are listed as being fixed. Now the question is, since 9.1.6.7 is fixed, does that indicate any following version like 9.1.6.10 is a resolved version or does the version specifically needs to be listed?

Thanks in advance!

Christian

Mark Malone · ‎02-18-2016

Hi I would move straight to 9.1.7 its the current recommended image , theres another major bug that a lot of people are hitting including ourselves and that's why we moved to it and on advice of Cisco

It fixes this aswell but its still there in any image under it like 9.1.6.10 , this is a serious bug that leaves ASA open to attack and at least 9.1.7 will cover both issues

http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20160210-asa-ike.html

Christian M · ‎02-18-2016

Hi, Thanks for your reply.

I am aware of the IKE issue and the major path to 9.1(7). But the question is if the statement in the bug about the version says it is fixed in "9.1(6)7 and later" (so including 9.1(6)10++), or 9.1(6)10 is "again" open to the bug as not specifically listed.

Mark Malone · ‎02-18-2016

Hi Its specific to the release that it has in the fixed column , so only 3 versions out of the 9.1 has the fix , so no 9.1.6.10 will still be effected

I don't see it saying in the bug release that 9.1.6 and later is fixed if that was the case they wouldn't bother specifying certain releases past 9.1.6

9.1(6.7)

9.1(6.99)

9.1(7)

CSCut14223 - Cisco ASA Management Interface XML Parser DoS Vulnerability