Have heard, from cisco people themselves, that there are quite a few issues (NAT, ARP, ...) with the releases that fix this security hole.
I am surprised too that this hasn't made more noise. On Tue, Feb 16, 2016 at 9:08 AM, Andrew (Andy) Ashley <andre...@aware.co.th> wrote: > Hi, > > We upgraded a pair of 5515-X’s from 9.2(1) to 9.5(2)2, the interim > release, on Saturday. > Since then the free memory on the primary unit has been steadily > decreasing (30% -> 95% in 3 days). > These small increases appear to be happening around every 30 minutes or so. > We failed over to the standby, which had much lower memory usage but that > too is now creeping up. > The previous primary unit did not reclaim any memory and did not stop > climbing either after fail over. > > Have opened a TAC case but Wondering if it’s just us, or if this is > affecting others.. > > Regards, > Andrew Ashley > > > > > -----Original Message----- > From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> on behalf of Garry < > g...@gmx.de> > Date: Tuesday, 16 February 2016 at 14:49 > To: "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net> > Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and > IKEv2 Buffer Overflow Vulnerability > > >Hi, > >> On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com wrote: > >>> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer > >>> Overflow Vulnerability > >>> > >>> Advisory ID: cisco-sa-20160210-asa-ike > >> Poor bastards stuck at 8.2 (like us) might be relieved to know that > >> there actually is a 8.2(5)59 version with the fix. Reading the SA page > >> I got the impression that there was no fixed software for 8.2(5). > >Thanks for the find, same situation we were in (well, several of our > >customers rather) - reading the advisory, it clearly states anything 8.x > >except 8.4 is recommended to go to 9.1 (yeah, right! Not opening that > >can^H^H^H crate of worms! Or more like Pandora's box?). Apart from at > >least one system that only has 256M of RAM (and therefore can't go to > >anything higher than 8.2 AFAIK), even going to the mentioned 8.4.7(30) > >caused some problems due to incorrectly (or incomplete) config migration > >for several systems ... of course it could be fixed, but still ... > >And yes, the systems should be kept more current, but seeing what > >happens when you do update more or less confirms the old saying "never > >change a running system" ... sadly ... > > > >Still, if Cisco publishes an interim that fixes this disastrous flaw and > >is not at least following up on their announcement (8.2.5(59) was > >released 3 days after the initial notification was published), it's sort > >of a pain for users ... even the advisory on the web page hasn't been > >updated to at least list the option of using the interim ... :( > > > >-garry > > > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp@puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/