Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2165
Views
20
Helpful
7
Replies

MARS 6.0.8 update - pulled from CCO?

Go to solution
mikecrowe4ICS_2
Level 1
Level 1

‎08-11-2010 06:14 PM

Yesterday (Aug 11), I was able to download the upgrade package for MARS release 6.0.8.  I happened to look at the same page today, and that update is now gone.  It was removed from both the "Software Download" page and the "Recovery Images" page.  However, the Release Notes for this release are still available.

Has this release been pulled purposely?  Or was posting it in the first place an accident?

Essentially -- should I avoid loading update 6.0.8(3427)?

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
cvilleme
Level 1
Level 1

‎08-12-2010 03:57 AM

Hi Michael,

Yes, it was pulled from CCO because a newly identified showstopper bug was unfortunately introduced into 6.0.8.  This new bug breaks parsing of Cisco Security Agent events.

The MARS business unit is currently scoping out a fix for this, and 6.0.8 won't be re-posted until the fix has been validated.  I don't have an ETA on this as it's still being looked into.

If you've already installed 6.0.8, please contact Cisco TAC.  Cisco is also working on a patch to apply for those customers that may have already upgraded to 6.0.8.


Thanks,
Chris

View solution in original post

Go to solution
cvilleme
Level 1
Level 1
In response to mikecrowe4ICS_2

‎08-13-2010 03:59 AM

Hi Michael,

This is the bug that was introduced into 6.0.8, CSCti30953 - "MARS parses reporting IP of SNMP traps incorrectly as 0.0.0.0".

In reading through the bug description, it looks like this could affect any reporting device that uses SNMP traps to send to MARS, not just CSA.  So, if you're not relying on SNMP traps from any of your reporting devices, you may be ok with applying this service pack.  This issue does not appear to cause problems for Syslog or Netflow events, just SNMP trap events.

That being said, I'd probably still hold off on applying it until I can confirm that your only concern with this release would be SNMP traps.  I've just asked the MARS development team this question, and I've also asked for an ETA on re-posting of 6.0.8.  I'll let you know what I hear  back.

Regards,
Chris

View solution in original post

0 Helpful

Go to solution
cvilleme
Level 1
Level 1
In response to mikecrowe4ICS_2

‎08-13-2010 09:59 AM

Michael,

I received an update from the MARS development team.  We're aiming to have 6.0.8 reposted hopefully mid-next week or early the week after.  This date could slip of course, but that's the current plan.

He suggested that you hold off on applying the 6.0.8 that you downloaded and that you'd probably be better off waiting for the reposted version when it's available.


Regards,

Chris

View solution in original post

7 Replies 7

Go to solution
cvilleme
Level 1
Level 1

‎08-12-2010 03:57 AM

Hi Michael,

Yes, it was pulled from CCO because a newly identified showstopper bug was unfortunately introduced into 6.0.8.  This new bug breaks parsing of Cisco Security Agent events.

The MARS business unit is currently scoping out a fix for this, and 6.0.8 won't be re-posted until the fix has been validated.  I don't have an ETA on this as it's still being looked into.

If you've already installed 6.0.8, please contact Cisco TAC.  Cisco is also working on a patch to apply for those customers that may have already upgraded to 6.0.8.


Thanks,
Chris

Go to solution
mikecrowe4ICS_2
Level 1
Level 1
In response to cvilleme

‎08-12-2010 05:54 PM

Ok, great.  That's very helpful information.

You mention the bug deals with parsing events from CSA.  What about cases where there are no CSA clients reporting to CS-MARS?  My MARS servers receive no CSA events.  I ask because one of the bug fixes in 6.0.8 (OpenSSL fix) is of particular interest to me.

Or is it possible that the fixed version of 6.0.8 will be re-released fairly quickly?

0 Helpful

Go to solution
cvilleme
Level 1
Level 1
In response to mikecrowe4ICS_2

‎08-13-2010 03:59 AM

Hi Michael,

This is the bug that was introduced into 6.0.8, CSCti30953 - "MARS parses reporting IP of SNMP traps incorrectly as 0.0.0.0".

In reading through the bug description, it looks like this could affect any reporting device that uses SNMP traps to send to MARS, not just CSA.  So, if you're not relying on SNMP traps from any of your reporting devices, you may be ok with applying this service pack.  This issue does not appear to cause problems for Syslog or Netflow events, just SNMP trap events.

That being said, I'd probably still hold off on applying it until I can confirm that your only concern with this release would be SNMP traps.  I've just asked the MARS development team this question, and I've also asked for an ETA on re-posting of 6.0.8.  I'll let you know what I hear  back.

Regards,
Chris

0 Helpful

Go to solution
cvilleme
Level 1
Level 1
In response to mikecrowe4ICS_2

‎08-13-2010 09:59 AM

Michael,

I received an update from the MARS development team.  We're aiming to have 6.0.8 reposted hopefully mid-next week or early the week after.  This date could slip of course, but that's the current plan.

He suggested that you hold off on applying the 6.0.8 that you downloaded and that you'd probably be better off waiting for the reposted version when it's available.


Regards,

Chris

Go to solution
mikecrowe4ICS_2
Level 1
Level 1
In response to cvilleme

‎08-14-2010 04:11 PM

Ok, will do.  Thanks for the great information -- it's been extremely helpful.  And I appreciate all the follow through.

0 Helpful

Go to solution
mikecrowe4ICS_2
Level 1
Level 1
In response to cvilleme

‎08-21-2010 10:41 PM

I noticed that the 6.0.8 update has been reposted to CCO, but with a new build number (3427 vs. 3428).

Should this one be considered "safe" to load?

0 Helpful

Go to solution
cvilleme
Level 1
Level 1
In response to mikecrowe4ICS_2

‎08-22-2010 03:11 AM

Yes, that's the re-post of 6.0.8.  You'll want to install the build 3428 version.

Regards,
Chris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents