Datasheet
201
Release Notes for Cisco IOS Release 12.1E on the Catalyst 6500 and Cisco 7600 Supervisor Engine and MSFC
OL-2310-11
Caveats
• A reload might occur when you enter a show command that is related to IP multicast if the “more”
prompt has been displayed for a long period of time. This problem is resolved in Release 12.1(20)E.
(CSCea81029)
• Cisco products running Cisco IOS contain vulnerabilities in the processing of H.323 messages,
which are typically used in packetized voice or multimedia applications. Features such as NAT and
Cisco IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has
been developed by the University of Oulu to target this protocol and identify vulnerabilities. Support
for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS
releases are affected if configured for various types of Voice/Multimedia Application support. The
vulnerabilities can be exploited repeatedly to produce a denial of service (DoS). There are
workarounds available that may mitigate the impact, but these techniques may not be appropriate
for use in all customer networks. This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml
This problem is resolved in Release 12.1(20)E. (CSCea32240)
• With other fabric-enabled modules installed, a WS-X6816-GBIC module does not come online after
a hot insert or software reset. This problem is resolved in Release 12.1(20)E. (CSCec27072)
• A reload might occur if you delete a VPN routing and forwarding (VRF) instance while the show ip
vrf vrf_name EXEC command executes. This problem is resolved in Release 12.1(20)E.
(CSCea83675)
• New vulnerabilities in the OpenSSL implementation for SSL have been announced.
An affected network device running an SSL server based on the OpenSSL implementation may be
vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a
client. The network device is vulnerable to this vulnerability even if it is configured to not
authenticate certificates from the client. There are workarounds available to mitigate the effects of
these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml
This problem is resolved in Release 12.1(20)E. (CSCec46274)
• With the Response Time Reporter (RTR) feature configured, spurious accesses might occur. This
problem is resolved in Release 12.1(20)E. (CSCdy56859)
• A port in the STP loop guard loop-inconsistent state sends BPDUs and if is elected as the designated
port on the segment, it does not recover from the loop-inconsistent state. This problem is resolved
in Release 12.1(20)E. (CSCeb06811)
• An OSPF designated router does not generate a network link-state advertisement (LSA) for a
broadcast network when another interface on the designated router has an administratively shut
down interface with a duplicate address configured with the OSPF passive-interface command. This
problem is resolved in Release 12.1(20)E. (CSCea35186)
• With Internet Group Management Protocol (IGMP) and IP Protocol Independent Multicast (PIM)
enabled, continual tracebacks might occur when you perform an online insertion and removal (OIR)
of a module. This problem is resolved in Release 12.1(20)E. (CSCec13278)
• A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a
Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by
default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the
malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject
a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this
advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.