lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4f0e191c040818135827ab8680@mail.gmail.com>
From: krmaxwell at gmail.com (Kyle Maxwell)
Subject: iDEFENSE Security Advisory 08.18.04: Courier-IMAP Remote Format String Vulnerability

On Wed, 18 Aug 2004 12:32:55 -0400, idlabs-advisories@...fense.com
<idlabs-advisories@...fense.com> wrote:
> Courier-IMAP Remote Format String Vulnerability
> 
> iDEFENSE Security Advisory 08.18.04
> www.idefense.com/application/poi/display?id=131&type=vulnerabilities
> August 18, 2004

[snip]

> The vulnerability specifically exists within the auth_debug() function
> defined in authlib/debug.c:
> VIII. DISCLOSURE TIMELINE
> 
> 08/10/2004   Initial vendor contact
> 08/10/2004   iDEFENSE clients notified
> 08/11/2004   Initial vendor response
> 08/18/2004   Public disclosure
> 
> IX. CREDIT
> 
> An anonymous contributor is credited with discovering this
> vulnerability.
> 
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2004 iDEFENSE, Inc.

It's interesting to note that this was reported in March 2004 and
reported at http://www.securityfocus.com/bid/9845. The CVE project had
already announced an ID (see
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0224 or
your preferred CVE database). Unless there's something substantially
new here, iDEFENSE is charging customers for (and trying to gain
reputation based on) information that is months old without even
giving credit where its due. Perhaps the concept of plagiarism is
worth reviewing here.

-- 
Kyle Maxwell
krmaxwell@...il.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ