I'm looking at updating my current ICX firmware. The "Ruckus Networks - Security Advisory ID 20190815 FAQ", updated on 1-8-2020, is listed with a vulnerability score of 7.5 (HIGH) and state that "...all customers are strongly encouraged to apply the fix once available." All versions of ICX are listed as vulnerable. The recommended action being to upgrade 8092GA.
The recommended release may be different from the latest
Ruckus FastIron release for that platform. It could be the case that critical
fixes that Ruckus wants all customers to use were done as part of the
recommended release, and because this release has not experienced the customer
exposure of two months, it would not yet be deemed a Target Path release. After
the customer exposure time is met, it is possible that this recommended release
could be promoted to a Target Path release.
Since the 08.0.92 GA was released more than two months ago, on
11-7-2019, then the guide is implying that a stable release would be promoted to
the target path release. The 08.0.92 GA firmware release has not been promoted, so does Ruckus feel it is not stable? 08.0.x2a is a maintenance or minor feature release. 08.0.xyd is
a patch release. Would then the wisest choose for a safe and stable version be to
upgrade to 08.0.92d?
It appears that the Target Path
Selection Guide's intention is to target a feature release (08.0.Xya)
and for admins to upgrade to the current minor feature and/or patch releases, 'y'
and 'a' releases. Why then does the guide list a patch version as the current
target path? If the intention is to remain current, then would listing something
like 08.0.9ya be clearer?
The security advisories were first addressed in 8.0.92 and then later 8.0.90f, any later releases will be good as well.
Not all software versions become Target Path releases, we typically (but not always) select every other major release to become a TP candidate and it is then tracked across a number of metrics such as how widely deployed it is, the number and severity of incoming defects, feedback from TAC and PS on breadth of deployment, etc.
8.0.90 was the last TP candidate and it met the required criteria in the .90d version and thus became the recommended release. The next candidate will be 8.0.95 (due out in a couple of months) and this will be tracked and declared TP when it hits the required metrics. 8.0.95 has been selected due to a number of features it contains will mean that it is likely to be highly desirable for a broad range of customers.
A non-TP release is not bad, it just hasn't been measured against the TP metrics.
In your case the recommendation would be that unless you need the features that were added in the later releases then the best option is to go with the TP release, or a later derivative i.e. 8.0.90d or .90f. If you need one of the features introduced in a later release then go with the latest patch release of the version that you need e.g. 8.0.92d.
Let me know if you need any further clarification.