Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

Cisco IOS Software SSL VPN Denial of Service Vulnerability

Advisory ID: cisco-sa-20140326-ios-sslvpn

Revision 1.0

For Public Release 2014 March 26 16:00 UTC (GMT)

Summary

Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these.

Robert

They don't come out often but it happens. Looks like there were 5 or 6 of them.

James

The Full-disclosure mailing list was recently... retired, I guess cisco
thought NANOG was the next best place.

They do this twice a year, all their advisories were sent here about half a year ago as well.

Robert

Perfectly normal, almost an announce list for issues like this.

Thanks everyone for the replies. I guess since they are done so infrequently, I was not a list member the last go around.

Robert

These also get posted to other mailing lists, such as cisco-nsp.

jms

For anyone who was subscribed to the old full-disclosure list ... Fydor of nmap has brought it back to life.

Infolink @ http://insecure.org/news/fulldisclosure/
Subscribe @ http://nmap.org/mailman/listinfo/fulldisclosure

Nope, they've been sending these things here for as long as I can remember.
I have NFI why -- probably hubris, thinking that everyone running a network
*must* have some Cisco somewhere.

- Matt

There used to be cisco 'wigs with well-known names on NANOG.

One of them was probably asked to do it.

I wonder if they should be invited to only post a single message with the titles and links to the alerts so that people can follow it up.

They should also include a link to their own list that they send the full alerts to.

That way there could be some headline alerting to people that there is something in that topic available but avoids sending each alert to the list every time.

Depends on compliance with the charter for the list but I think it might be nice list etiquette.

Regards
Alexander

I wonder if they should be invited to only post a single message with
the titles and links to the alerts so that people can follow it up.

Why? Personally, I think it's fine. It only happens (at most) every six
months (and sometimes more like a year).

Depends on compliance with the charter for the list but I think it
might be nice list etiquette.

I'm surprised at the level of concern over this, considering it's an
event that has been going on since before most of those posting about
this were even on this list. I'm hoping (in vain, I'm sure) that my
gently pointing out that those posts are useful to many people, and
that their occurrence predates most of you, will make this non-issue
die away (and you make me REALLY MISS srh).

While I still worked (I don't now; I'm retired), it was nice to have
those alerts, because it could be checked against the *things* *that*
*should* *be* *patched* for sanity. Even now, there's still Cisco stuff
on my toy network, and I *still* care.

Could we just stick to the interesting issues of IPv6, and SMTP, and
move on? Please?

i would prefer that the header be in blue, the titles in green, and the
urls in magenta, in comic sans, of course

randy

I prefer flat ASCII text. That will shut most of them up.

I disagree vehemently. That's far too simple of a system and doesn't convey the necessary information that should be in a summary document.

Titles should be either cerise, amaranth or raspberry coloured, depending on the bug's severity, and the headers should be blue-gray, glaucous or steel blue depending on the day of the week the bug was discovered. Some people might whine that those colors are too close to each other, but they can just buy a colorimeter -- that's an operational problem anyways.

I can agree to comic sans, as long as it blinks.

Actually, we should probably just set up a committee for report styling. We really need an industry standard for this, and one that covers all possible reporting needs for at least the next 20 years. Shouldn't take more than a few weeks.

I think I have a TPS report template around here that would be a great starting point.... :stuck_out_tongue:

I think it's fine too.

As I'm sure you know, if you're a Cisco customer, you can
subscribe to their internal notification services where
you'll get this anyway.

That they consolidate the most critical bug information and
push it out to the typical operational mailing lists a
couple of times a year is not such a problem, I'd say. For
some, this could be the only way they find out.

Mark.