lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Apr 2008 23:58:09 +0300 (EEST) From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi> To: Erik Harrison <eharrison@...il.com>, Luigi Auriemma <aluigi@...istici.org> Cc: vuln@...unia.com, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows When examining advisory SA28209 http://secunia.com/advisories/28209/ it points to reports listing vulnerabilities in several products and versions (Verity KeyView Viewer SDK 7.x, 8.x, and 9.x) etc. Secunia's Web site lists advisories by a specific product too, see http://secunia.com/product/5570/?task=advisories I believe this is the reason of several advisories. Juha-Matti Erik Harrison <eharrison@...il.com> wrote: > Its not always easy to know what libs all of your apps are using. Unless of > course you're managing a small set of systems, have a lot of time, or are > particularly godlike at what you do. I think it's great that they identify > the software using it. Frankly, if I'm in an enterprise environment running > Lotus for some god awful reason, that's going to get my attention more than > one of its libraries. > > Yes, it does inflate their stats on number of vuln advisories published in a > year, but whatever - I don't care about that. What's the better way to deal > with it? Try and push one advisory listing 1000 apps affected in its > content? Even then, you're not going to have a accurate list. I think it > -is- better to publish one advisory per affected piece of software. When I'm > skimming the 100 or so that hit my inbox every day, I don't have the luxury > of opening each one. Unfortunate, but that's reality of most security staff. > > It's only going to get worse. Reporting is going to increase and threats are > going to apply to far more products inheriting the same code. What's the > best, most scalable way of dealing with this? Anyone have any ideas on that > one? > > > > On Tue, Apr 15, 2008 at 10:20 AM, Luigi Auriemma <aluigi@...istici.org> > wrote: > > > > Autonomy Keyview Folio Flat File Parsing Buffer Overflows > > > Autonomy Keyview Applix Graphics Parsing Vulnerabilities > > > Autonomy Keyview EML Reader Buffer Overflows > > > activePDF DocConverter Folio Flat File Parsing Buffer Overflows > > > activePDF DocConverter Applix Graphics Parsing Vulnerabilities > > > Lotus Notes Applix Graphics Parsing Vulnerabilities > > > Lotus Notes Folio Flat File Parsing Buffer Overflows > > > Lotus Notes EML Reader Buffer Overflows > > > Lotus Notes kvdocve.dll Path Processing Buffer Overflow > > > Lotus Notes htmsr.dll Buffer Overflows > > > Symantec Mail Security Folio Flat File Parsing Buffer Overflows > > > Symantec Mail Security Applix Graphics Parsing Vulnerabilities > > > > 12 mails for the same library? > > > > >From what I have understood all the bugs are just in this Autonomy > > Keyview library so in my opinion reporting the same identical bugs in > > each software which uses this thirdy part component and additionally > > without saying that the problem in reality is in the library is wrong > > and leads to a lot of confusion. > > > > It's just like if someone finds a bug in zlib and releases 10000 > > advisories, one for each program in the world which uses the library... > > the bug is not in these 10000 programs but only in zlib. > > > > > > --- > > Luigi Auriemma > > http://aluigi.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists