lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <196905565.20090325225532@SECURITY.NNOV.RU> Date: Wed, 25 Mar 2009 22:55:32 +0300 From: "Vladimir '3APA3A' Dubrovin" <3APA3A@...URITY.NNOV.RU> To: "Eric C. Lukens" <eric.lukens@....edu> Cc: bugtraq@...urityfocus.com Subject: Re[2]: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow Dear Eric C. Lukens, US-CERT note TA09-051A on this issue beeing exploited in-the-wild was issued on February, 20. http://www.us-cert.gov/cas/techalerts/TA09-051A.html --Wednesday, March 25, 2009, 10:20:40 PM, you wrote to bugtraq@...urityfocus.com: ECL> I noticed that as well, but suspected they were notified via more then ECL> one mechanism or had already found the bug internally. I find it funny ECL> that they had the final code ready on the 28th, but still didn't get it ECL> out to the public for another 2 weeks. I suppose they ran it through ECL> one last QA procedure, or they just don't like to deliver things early. ECL> -Eric ECL> -------- Original Message -------- ECL> Subject: Re: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary ECL> Buffer Overflow ECL> From: Florian Weimer <fw@...eb.enyo.de> ECL> To: Secunia Research <remove-vuln@...unia.com> ECL> Cc: bugtraq@...urityfocus.com ECL> Date: 3/25/09 11:42 AM >> * Secunia Research: >> >> >>> ====================================================================== >>> 5) Solution >>> >>> Update to version 7.1.1, 8.1.4, or 9.1. >>> >>> ====================================================================== >>> 6) Time Table >>> >>> 06/03/2009 - Vendor notified. >>> 07/03/2009 - Vendor response. >>> 25/03/2009 - Public disclosure. >>> >> >> Something doesn't add up because the 9.1 binary I've got was created >> on February 28th, according to Verisign's time stamping signature in >> the Authenticode signature. >> -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/
Powered by blists - more mailing lists