ā08-13-2015 12:39 AM - edited ā02-21-2020 08:23 PM
Hello,
I have a quick question about the versions of AnyConnect that should be deployed in order to fix bug CSCut93920. The bug notes state that the fix is available in version 3.1(10010) and 4.1(4011). I was able to find version 3.1(10010), however, there is no version 4.1(4011). The one that's available for download is 4.1(04011). Is that just a typo on the Cisco Download site? The reason I ask is because the bug notes as well as the CVE-2015-4289 state that all version 4.1(0) are vulnerable.
Thank you,
Martin
Solved! Go to Solution.
ā08-13-2015 03:35 AM
Martin,
C'mon! We're fighting over 0? Literally "nothing" ?! :-)
Well the problem comes from how we're numbering releases internally.
(Take this with a grain of salt) 4011 equals 4011th internal rebuild, problem is that quite often we'll go to 5 digit numbers, I think we've been there with AC 3.1. So some tools will display 04011 and some the same rebuilt as 4011.
Inconsistent, yes, but mostly cosmetic.
M.
ā08-13-2015 01:11 AM
Martin,
The release is available on CCO.
M.
ā08-13-2015 01:12 AM
In case you need software under PSIRT advisory - you can also contact TAC - most of the time :-)
ā08-13-2015 03:14 AM
Hi Marcin,
Thanks for the info. That's the version I am guessing is the correct one. But the CVE and bug notes state that all versions which have "0" as a third number in their version are affected (see below). So what I am trying to say is that someone should either correct the typo in the download section or update the bug/CVE notes :)
3.0(0)
ā08-13-2015 03:35 AM
Martin,
C'mon! We're fighting over 0? Literally "nothing" ?! :-)
Well the problem comes from how we're numbering releases internally.
(Take this with a grain of salt) 4011 equals 4011th internal rebuild, problem is that quite often we'll go to 5 digit numbers, I think we've been there with AC 3.1. So some tools will display 04011 and some the same rebuilt as 4011.
Inconsistent, yes, but mostly cosmetic.
M.
ā08-13-2015 03:52 AM
Thanks for the confirmation. Please try to look at it from customer's perspective. Customer downloads version 4.1.04011 assuming there is just an extra 0 and patches several thousand laptops. Then the vulnerability gets exploited, a case is raised with TAC to get an explanation and the reply the would be along the lines "as per the Cisco PSIRT the versions starting 4.1.0 are vulnerable". The case gets closed and the customer needs to go through a fresh patching project.
Hopefully that explains why I am being cautious :)
ā08-13-2015 04:06 AM
Martin,
I wasn't trying to be dismissive, by any means.
What I think is that bug toolkit etc guys have made great strides to improve situation - vide reading bug notes for IOS/IOS-XE around 2 years back and compare it now.
Are we better, yes, are we good, no. That's probably as much as I can say in a public forum without getting in trouble internally.
There's a width and breadth of products all with different numbering and specifics and tools are supposed to handle all of them. :/
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide