lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FB24803D1DF2A34FA59FC157B77C97050313D8F8@idserv04.idef.com>
From: labs at iDefense.com (iDefense Labs)
Subject: iDEFENSE Security Advisory 08.16.04: CVS Undocumented Flag Information Disclosure Vulnerability

Stefan,

We were aware that the vulnerability had been patched due to the work of
Sebastian Krahmer and yourself as this was mentioned by CVS during the
vendor disclosure process. We chose to proceed with the disclosure as it
did not appear that the CVE number for this issue had been
reserved/publicized or that specific details of this vulnerability had
been posted. We do not however wish to take credit from you for your
efforts.

Regards,
Michael Sutton

>Hi iDEFENSE,

>> This issue was patched in the latest (June 9th) releases of CVS,
>> specifically 1.11.17 & 1.12.9.

>well guess WHY it was fixed... maybe because it was found and 
>reported by Sebastian Krahmer back ub May?

>> VIII. CREDIT
>> 
>> An anonymous contributor is credited with discovering this
>> vulnerability.
...
>> Get paid for vulnerability research

>The bug was officially fixed with the last releases because it was
>already found at that time by Sebastian Krahmer. So I suggest that you
>ask him for his bank account.

>It is quite funny that this is the 3rd (or maybe 4th) incident I know
>off, where you pay people for vulnerabilities that were already found
>and reported by others.

>Stefan Esser

-- 

------------------------------------------------------------------------
--
 Stefan Esser
s.esser@...atters.de
 e-matters Security
http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key
0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C
AE69
------------------------------------------------------------------------
--
 Did I help you? Consider a gift:
http://wishlist.suspekt.org/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ