InlineFive, there is not currently any vendor for switches that I consider to be doing QA well enough. I've been buying SMC's switches lately for L2, and they're working well for me. If I'm not getting enterprise-class reliability, I'm not going to pay an enterprise-class price for it! I'm buying Extreme "i" switches for L3, and they're okay, the software is definitely a rough ride but their hardware is good. Those boxes are getting cheaper now, finally.
jlazzaro,
"i read somewhere theres no "known" public exploit script for these vulnerabilities"
Vendors rarely write security advisories that say "the bad guys have scripts to exploit these vulnerabilities" because that makes customers quite unhappy. They also rarely write security advisories that say "we found out about this bug a year ago, and the bad guys probably knew about it months before that. We fixed it six months ago, and we told the customers who are really important to us about it then. But we're only telling YOU about it now." Because that too makes customers quite unhappy.
Just because they don't explicitly say these things doesn't mean you can't -- and shouldn't -- read between the lines.
My understanding of how to read the version chart is that you are okay if you're running a version newer than the version listed as maintenance, that is, that's the version where it got put into the tree. However, they also took an older and recommended stable version and created a one-off branch version of that with the fix applied, and that's the rebuild version. So you're okay if you get that one particular version ("rebuild"), or if you are running a version newer than the maintenance version listed. I admit that I could be wrong here, it is definitely confusing.
In practice, I always interpret these things as telling me to update my boxes to the newest version available that's stable enough, and/or that's above the maintenance version listed. I figure if I'm going to take the test/upgrade/test pain at all I might as well get current.
RebateMonger, that's why you build a network with defense in depth. Software has bugs and applying patches sometimes creates new ones as well as brings operational risk into the picture. To the best of your ability, you should build a network so that an exploitable bug doesn't make you a sitting duck, you have other layers of defense such that malicious parties can't actually do the exploit.