Re: Cisco Security Advisory: Multiple Vulnerabilities in CBOS

[Dave Booth <dbooth () CARLSON COM>]

Cisco Systems Product Security Incident Response Team wrote:
<SNIP>
>     The following releases of CBOS are vulnerable to all defects: 2.0.1,
>     2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and
>     2.3.8.
>
>     These defects will be fixed in the following CBOS releases: 2.3.5.015,
>     2.3.7.002, 2.3.9 and 2.4.1. Customers are urged to upgrade to releases
>     that are not vulnerable to this defect as shown in detail in the
>     section Software Versions and Fixes below.
<SNIP>

QWest DSL customers should be aware that QWest do not support the fixed
CBOS versions. (confirmed 30 seconds ago by a call to the QWest
tech-support line) Therefore the sizable QWest dsl customer base is
likely to remain vulnerable. QWest only support 2.2.0 and my ISP (not
QWest!) has confirmed that they have encountered several issues relating
to higher versions of CBOS on a 675 that connects through a QWest DSLAM.

I've already complained about this state of affairs and suggest you do
likewise if you too are stuck with the choice between leaving
vulnerabilities unpatched or installing an unsupported CBOS version.

--
Dave Booth, CWT-IT
dbooth () carlson com
+---------------------------------------------------+
| Catapultam habeo. Nisi pecuniam omnem mihi dabis, |
| ad caput tuum saxum immane mittam.                |
+---------------------------------------------------+