[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] iDEFENSE Security Advisory 08.18.04: Courier-IMAP Remote Format String Vulnerability
- To: customerservice@xxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] iDEFENSE Security Advisory 08.18.04: Courier-IMAP Remote Format String Vulnerability
- From: Kyle Maxwell <krmaxwell@xxxxxxxxx>
- Date: Wed, 18 Aug 2004 15:58:13 -0500
On Wed, 18 Aug 2004 12:32:55 -0400, idlabs-advisories@xxxxxxxxxxxx
<idlabs-advisories@xxxxxxxxxxxx> wrote:
> Courier-IMAP Remote Format String Vulnerability
>
> iDEFENSE Security Advisory 08.18.04
> www.idefense.com/application/poi/display?id=131&type=vulnerabilities
> August 18, 2004
[snip]
> The vulnerability specifically exists within the auth_debug() function
> defined in authlib/debug.c:
> VIII. DISCLOSURE TIMELINE
>
> 08/10/2004 Initial vendor contact
> 08/10/2004 iDEFENSE clients notified
> 08/11/2004 Initial vendor response
> 08/18/2004 Public disclosure
>
> IX. CREDIT
>
> An anonymous contributor is credited with discovering this
> vulnerability.
>
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
>
> X. LEGAL NOTICES
>
> Copyright (c) 2004 iDEFENSE, Inc.
It's interesting to note that this was reported in March 2004 and
reported at http://www.securityfocus.com/bid/9845. The CVE project had
already announced an ID (see
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0224 or
your preferred CVE database). Unless there's something substantially
new here, iDEFENSE is charging customers for (and trying to gain
reputation based on) information that is months old without even
giving credit where its due. Perhaps the concept of plagiarism is
worth reviewing here.
--
Kyle Maxwell
krmaxwell@xxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html