Datasheet
231
Release Notes for Cisco IOS Release 12.1E on the Catalyst 6500 and Cisco 7600 Supervisor Engine and MSFC
OL-2310-11
Caveats
• Cisco IOS software incorrectly replies to TCP packets that are destined to broadcast/multicast
addresses. Replies are sourced from the broadcast/multicast address.
The problem is applicable to all ports except HTTP (default 80) and HTTPS (default 443) ports.
With the fix in this DDTS, behavior is changed so that Cisco IOS software will only reply to packets
that are destined to broadcast/multicast addresses HTTP (default 80) and HTTPS (default 443) ports.
This behavior is further modified by CSCdv30676.
Although this behavior does not cause any problem for router operation, it may be used for
bypassing packet filters (that are configured either in front of or on the router) to reach the services
running on TCP (i.e Telnet or SSH) authentication (if configured) still takes place for these services.
This may be possible if the packet filter allows broadcast/multicast destinations but filter the unicast
address of the router.
A filter that can be bypassed on the affected router may be similar to the following
access-list 100 deny ip any host <routers-interface-IP-address>
access-list 100 permit ip any any
interface X/Y
ip access-group 100 in
This problem is resolved in Release 12.1(13)E14. (CSCdy20364)
• When an Internet Group Management Protocol (IGMP) receive message is entered on the incoming
interface toward the Route Processor (RP), and a source, group (S,G) R state already exists for a
source, the -R flag does not clear. The receiver does not receive traffic for that particular (S,G) entry.
This problem is resolved in Release 12.1(13)E14. (CSCdx95449)
• The squeeze command might cause high CPU utilization for several minutes. This problem is
resolved in Release 12.1(13)E14. (CSCdz60750)
• A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17,
2004.
An affected network device running an SSL server based on an affected OpenSSL implementation
may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate
the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco
is providing fixed software, and recommends that customers upgrade to it when it is available.
This advisory will be posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml
This problem is resolved in Release 12.1(13)E14. (CSCee00041)
• Many memory allocation failure (MALLOCFAIL) messages might occur for a Cisco Discovery
Protocol (CDP) process:
%SYS-2-MALLOCFAIL: Memory allocation of -1732547824 bytes failed from x605111F0, pool
Processor, alignment 0
-Process= "CDP Protocol", ipl= 0, pid= 42
-Traceback= 602D5DF4 602D78A0 605111F8 60511078 6050EC88 6050E684 602D0E2C 602D0E18
This problem is resolved in Release 12.1(13)E14. (CSCdz32659)
• Receiving CDP packets with a host name that is 256 or more characters long might cause a memory
leak in the CDP process. This problem is resolved in Release 12.1(13)E14. (CSCin67568)
• Following “cmd failed” messages for ATM configuration commands, an ATM interface might
remain administratively down. This problem is resolved in Release 12.1(13)E14. (CSCin40163)