lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <da413e43c0b44cc2351fe287188ac40a@ecn.org>
From: cripto at ecn.org (Anonymous)
Subject: iDEFENSE Security Advisory 08.25.04:

At 01:45 PM 8/25/2004 -0400, idlabs-advisories@...fense.com wrote:
>CDE libDtHelp LOGNAME Buffer Overflow Vulnerability

>US-CERT Vulnerability Note VU#575804, detailing the original attack
>vectors is available at:
>
>http://www.kb.cert.org/vuls/id/575804

>iDEFENSE has confirmed the existence of this vulnerability in Solaris 8
>and Solaris 9 without the patches provided for in Sun Alert 57414.

>VIII. DISCLOSURE TIMELINE
>
>03/04/2004   Initial vendor contact
>             (Opengroup.org)
>03/04/2004   iDEFENSE clients notified
>03/31/2004   Initial vendor response
>             (Opengroup.org - further coordination requested)
>04/19/2004   Initial vendor contact
>             (Hewlett-Packard, IBM, and Sun Microsystems)
>04/19/2004   Initial vendor response (Sun Microsystems)
>04/20/2004   Initial vendor response (Hewlett-Packard)
>08/25/2004   Public disclosure


I am confused. Sun patched this on 30 April. HP Patched as recently as February. IBM in November.  The last change to the CERT VN was 4 November.

Why "disclose" this now?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ