08-11-2010 06:14 PM
Yesterday (Aug 11), I was able to download the upgrade package for MARS release 6.0.8. I happened to look at the same page today, and that update is now gone. It was removed from both the "Software Download" page and the "Recovery Images" page. However, the Release Notes for this release are still available.
Has this release been pulled purposely? Or was posting it in the first place an accident?
Essentially -- should I avoid loading update 6.0.8(3427)?
Solved! Go to Solution.
08-12-2010 03:57 AM
Hi Michael,
Yes, it was pulled from CCO because a newly identified showstopper bug was unfortunately introduced into 6.0.8. This new bug breaks parsing of Cisco Security Agent events.
The MARS business unit is currently scoping out a fix for this, and 6.0.8 won't be re-posted until the fix has been validated. I don't have an ETA on this as it's still being looked into.
If you've already installed 6.0.8, please contact Cisco TAC. Cisco is also working on a patch to apply for those customers that may have already upgraded to 6.0.8.
Thanks,
Chris
08-13-2010 03:59 AM
Hi Michael,
This is the bug that was introduced into 6.0.8, CSCti30953 - "MARS parses reporting IP of SNMP traps incorrectly as 0.0.0.0".
In reading through the bug description, it looks like this could affect any reporting device that uses SNMP traps to send to MARS, not just CSA. So, if you're not relying on SNMP traps from any of your reporting devices, you may be ok with applying this service pack. This issue does not appear to cause problems for Syslog or Netflow events, just SNMP trap events.
That being said, I'd probably still hold off on applying it until I can confirm that your only concern with this release would be SNMP traps. I've just asked the MARS development team this question, and I've also asked for an ETA on re-posting of 6.0.8. I'll let you know what I hear back.
Regards,
Chris
08-13-2010 09:59 AM
Michael,
I received an update from the MARS development team. We're aiming to have 6.0.8 reposted hopefully mid-next week or early the week after. This date could slip of course, but that's the current plan.
He suggested that you hold off on applying the 6.0.8 that you downloaded and that you'd probably be better off waiting for the reposted version when it's available.
Regards,
Chris
08-12-2010 03:57 AM
Hi Michael,
Yes, it was pulled from CCO because a newly identified showstopper bug was unfortunately introduced into 6.0.8. This new bug breaks parsing of Cisco Security Agent events.
The MARS business unit is currently scoping out a fix for this, and 6.0.8 won't be re-posted until the fix has been validated. I don't have an ETA on this as it's still being looked into.
If you've already installed 6.0.8, please contact Cisco TAC. Cisco is also working on a patch to apply for those customers that may have already upgraded to 6.0.8.
Thanks,
Chris
08-12-2010 05:54 PM
Ok, great. That's very helpful information.
You mention the bug deals with parsing events from CSA. What about cases where there are no CSA clients reporting to CS-MARS? My MARS servers receive no CSA events. I ask because one of the bug fixes in 6.0.8 (OpenSSL fix) is of particular interest to me.
Or is it possible that the fixed version of 6.0.8 will be re-released fairly quickly?
08-13-2010 03:59 AM
Hi Michael,
This is the bug that was introduced into 6.0.8, CSCti30953 - "MARS parses reporting IP of SNMP traps incorrectly as 0.0.0.0".
In reading through the bug description, it looks like this could affect any reporting device that uses SNMP traps to send to MARS, not just CSA. So, if you're not relying on SNMP traps from any of your reporting devices, you may be ok with applying this service pack. This issue does not appear to cause problems for Syslog or Netflow events, just SNMP trap events.
That being said, I'd probably still hold off on applying it until I can confirm that your only concern with this release would be SNMP traps. I've just asked the MARS development team this question, and I've also asked for an ETA on re-posting of 6.0.8. I'll let you know what I hear back.
Regards,
Chris
08-13-2010 09:59 AM
Michael,
I received an update from the MARS development team. We're aiming to have 6.0.8 reposted hopefully mid-next week or early the week after. This date could slip of course, but that's the current plan.
He suggested that you hold off on applying the 6.0.8 that you downloaded and that you'd probably be better off waiting for the reposted version when it's available.
Regards,
Chris
08-14-2010 04:11 PM
Ok, will do. Thanks for the great information -- it's been extremely helpful. And I appreciate all the follow through.
08-21-2010 10:41 PM
I noticed that the 6.0.8 update has been reposted to CCO, but with a new build number (3427 vs. 3428).
Should this one be considered "safe" to load?
08-22-2010 03:11 AM
Yes, that's the re-post of 6.0.8. You'll want to install the build 3428 version.
Regards,
Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: