[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] iDEFENSE Security Advisory 08.25.04:

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] iDEFENSE Security Advisory 08.25.04:
From: Anonymous <cripto@xxxxxxx>
Date: Thu, 26 Aug 2004 09:37:00 +0200 (CEST)

At 01:45 PM 8/25/2004 -0400, idlabs-advisories@xxxxxxxxxxxx wrote:
>CDE libDtHelp LOGNAME Buffer Overflow Vulnerability

>US-CERT Vulnerability Note VU#575804, detailing the original attack
>vectors is available at:
>
>http://www.kb.cert.org/vuls/id/575804

>iDEFENSE has confirmed the existence of this vulnerability in Solaris 8
>and Solaris 9 without the patches provided for in Sun Alert 57414.

>VIII. DISCLOSURE TIMELINE
>
>03/04/2004   Initial vendor contact
>             (Opengroup.org)
>03/04/2004   iDEFENSE clients notified
>03/31/2004   Initial vendor response
>             (Opengroup.org - further coordination requested)
>04/19/2004   Initial vendor contact
>             (Hewlett-Packard, IBM, and Sun Microsystems)
>04/19/2004   Initial vendor response (Sun Microsystems)
>04/20/2004   Initial vendor response (Hewlett-Packard)
>08/25/2004   Public disclosure


I am confused. Sun patched this on 30 April. HP Patched as recently as 
February. IBM in November.  The last change to the CERT VN was 4 November.

Why "disclose" this now?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Automated ssh scanning
Next by Date: RE: !SPAM! [Full-Disclosure] Automated ssh scanning
Previous by thread: [Full-Disclosure] 21st Chaos Communication Congress 2004: Call for Papers
Next by thread: RE: !SPAM! [Full-Disclosure] Automated ssh scanning
Index(es):
- Date
- Thread