lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041109231144.31974.qmail@www.securityfocus.com>
Date: 9 Nov 2004 23:11:44 -0000
From: <secure@...antec.com>
To: bugtraq@...urityfocus.com
Subject: Re:   [HV-LOW] Symantec LiveUpdate issues may cause DoS




Symantec is aware of this posting. Symantec engineers are reviewing the issue.  If it is validated we will respond accordingly.  

According to HexView's advisory, Symantec was notified 2004-11-03 and did not respond prior to HexView's posting.  
However, HexView's initial notification to Symantec was received late afternoon on 2004-11-03 and Symantec's initial response acknowledgement and offer of coordination in reviewing and reporting if found to be valid went back to HexView the following morning, 2004-11-04, well within the 24 hour window that is published in their stated disclosure policy.  No further communications of any nature have been received from HexView concerning this issue.

Symantec takes the security of our products seriously and is a responsible disclosure organization.  We would like to work directly with anyone who believes they have found a security issue in a Symantec product to validate the problem and coordinate a response.  

Please contact secure@...antec.com concerning security issues with Symantec products.

Symantec Product Security
secure@...antec.com
-----------------------------------------

vuln@...view.com 

To
bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
cc

Subject
[HV-LOW] Symantec LiveUpdate issues may cause DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Symantec LiveUpdate issues may cause DoS

Classification:
===============
Level: [LOW]-med-high-crit
ID: HEXVIEW*2004*11*04*1
URL: http://www.hexview.com/docs/20041104-1.txt

Overview:
=========
Symantec LiveUpdate is an application designed to provide timely updates for Symantec products. LiveUpdate downloads zip-archived packages, decompresses them, verifies signatures, and finally installs the updates. HexView discovered two problems
with LiveUpdate: decompression routine does not check for uncompressed file sizes and no validation is performed on directory names.

----------------------snip-------------------------------------------
Vendor Status:
==============
Symantec was notified on 2004-11-03. No response received.

About HexView:
==============
HexView contributes to online security-related lists for almost a decade. The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms, network applications, and embedded devices. The chances are you read our advisories or disclosures. For more information visit
http://www.hexview.com

----------------------snip-----------------------------
HexView Disclosure Policy:
==========================
HexView notifies vendors that have publicly available contact e-mail 24 hours before disclosing any information to the public. If we are unable to find vendor's e-mail address or if no reply is received within 24 hours, HexView will publish vulnerability notification including all technical details unless the issue is rated as "critical". If vendor does not reply within 72 hours, HexView may disclose all details for
critical vulnerabilities as well.

If vendor replies within the above mentioned time period, HexView will announce the vulnerability, but will not disclose the details required to reproduce it. HexView will also specify the date when full disclosure
containing all the details will be published. The time period between announcement and full disclosure is 30 days unless there is an agreement with vendor and appropriate justification for extension. If vendor
resolves the issue earlier than 30 days after  announcement, HexView will publish full disclosure as soon as the fix is available to the public.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ