lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <001501c49afc$1d13f5e0$d4f0bb51@vegetabl3.org>
Date: Wed, 15 Sep 2004 09:15:05 +0100
From: "advisories" <advisories@...saire.com>
To: <bugtraq@...urityfocus.com>
Subject: Re: Correction to latest Colsaire advisories


Rather than cross posting stuff verbatim from full-disclosure (it's there
for anyone who wants to read it), in summary:

At the time the research was conducted (August 2003) Corsaire looked around
for as much information as possible prior to commencing. There were a number
of individual MIME issues around, but most were single-product
vulnerabilities. The 3APA3A white paper has existed since at least February
2002, but was not encountered at the time. It has been recently updated to
include the latest information, but even so, details only a small subset of
the test cases provided as part of the Corsaire research. If anyone were to
claim that the 3APA3A white paper is in any way complete, fully researched
and definitive, it would simply be untrue

The Corsaire research project produced test cases for around 200 working
attack vectors, that when passed through the top 10 content products
produced over 800 individual vulnerabilities (needless to point out that
there are a lot more than 10 products in this arena).

When we approached Mitre in regard to organising CVE numbers, it was clear
that there were far too many issues to allocate individually, so it was
agreed to pursue the same route as the SNMP issue from several years ago
(http://www.cert.org/advisories/CA-2002-03.html) and group them into
manageable chunks; this is what produced the broad category based
advisories. The use of the categories then isn't an attempt to assume credit
for anyone else's work (if such exists), but to manage the volume of issues
identified.

Regards,
Martin O'Neal
Technical Director - Colsaire







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ