05-20-2026 05:17 AM
Can someone explain to me why the GlobalProtect App release notes don't list the CVE's addressed? These are changes made in the app that need to be in the release notes and it seems unnecessary to have to check two different sources for information.
The only place CVE's are listed for GlobalProtect seems to be here: https://security.paloaltonetworks.com/
Also, what is it with Palo Alto and seemingly Cisco too with 6.3.3-h10 being listed but then on other locations being listed with a build # such as c1011. Either call it one or the other but not both. The security site lists h11 now for a CVE that was showing 6.3.3-h10 the other day but since it isn't in any release notes it appears no one is being notified of this. If I hadn't checked today I'd have though deploying 6.3.3-h10 was going to fix https://security.paloaltonetworks.com/CVE-2026-0251 .
Sorry this is a bit of a rant so this is mainly intended for Palo Alto but good grief lets get some consistency. If you want to use both numbers use them both everywhere.
05-21-2026 12:25 AM
I fully agree with your frustrations.
On a semi-related note 6.3.3-h10 or 6.3.3-c1011 does not appear to have a release date anymore.....(when looking at the list on the firewall)
05-21-2026 05:52 AM
Yes, another source of frustration, as they pulled that release because it didn't totally fix https://security.paloaltonetworks.com/CVE-2026-0251 . They didn't release the fix for the fix until later yesterday (well, later for US East).
What is frustrating is for people that had previously downloaded c1011 in the portal (which they should know), there was no notification that it was pulled. I was about to deploy it and accidentally noticed in the security bulletin list that it was modified and that the fix was changed from h10 to h11 (Which isn't called out in the modified notes either at the bottom - it just says version updated but not which one,)
I'd like the ability to subscribe to a CVE so that if you are actively working on it you'll get updates too.
As bad as this is though, I have to work with F5's CVE list and its way worse. It is worth acknowledging that the method used by Palo and in particular the security portal is better than most other vendors.
05-21-2026 06:18 AM
As proof of how split brain Palo is on this and why they need just one version number. I just downloaded the latest 6.3.3 build and the release notes from Palo Alto and used the same names they were given on the site. Notice anything? 🤔
05-21-2026 07:06 AM
This is because 6.3.3-h10 was pulled in favor of 6.3.3-h11 due to analytics showing performance issues supposedly with h10 on macOS and Windows. I have to imagine that the performance issues where due to it being released with some debugging enabled by default, as the size of 6.3.3-h10 was suddenly quite a bit larger than normal. Of course, PAN didn't actually send any communication about it being pulled as far as I can tell.
The complaint is 100% valid and frankly isn't that unexpected or abnormal behavior for PAN. There is almost always known issues that never make it into the release notes under known issues, and the quality of the addressed issues being accurate is also not 100% accurate either. It's upsetting to know that PAN customers sometimes contact support regarding an issue, only to find out that the company knew the issue was present and simply never bothered to document them within the known issues of the release notes.
We've also seen hotfix updates for the released hotfix updates, which just shows continued lack of proper validation and testing before they push something out. I get that updates aren't going to heavily tested before being put out when they're addressing security issues and need to release a dozen or more updates due to customer version spread, but if the code quality was actually better you wouldn't have customers spread out all over the place either and customers wouldn't be so reluctant to move from what they know is working.
05-21-2026 07:21 AM
Interesting insight into the pull of h10 - thanks for that. And yes, their quality control seems less that desirable. Even the release notes for h11 totally miss mentioning the three CVE's that were originally addressed in h10 since they deleted that entry and didn't carry it forward to h11.
As a relative newcomer (few years now) to Palo, I'm always shocked at the number of releases they do a hotfix for. As you said, had their releases been stable no one would need to stay back so far and it would alleviate a lot of this. Even our update recently from 10.1.10-h10 to 1.1.13-h5 is causing issues for us and that should have been a minor jump. (fwiw - inline cloud analysis on the threat detection profile we use is silently blocking traffic...)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
