lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <001b01c49a42$188ab8c0$d4f0bb51@vegetabl3.org>
From: advisories at corsaire.com (advisories)
Subject: Correction to latest Colsaire advisories

# I've already sent this to the list once already, but it seems to have got
lost somewhere along the way. If it does show up at some point; apologies in
advance for the repeat posting.

It's always good to be correct(ness).

At the time the research was conducted (August 2003) we obviously looked
around for as much information as possible prior to commencing. There were a
number of individual MIME issues around, but most were single-product
vulnerabilities. If the 3APA3A white paper you refer to was in existence at
this time, it was not one we encountered. It has also been recently updated
to include the latest information, so I can not comment on its previous
content.

The Corsaire research project produced test cases for around 200 working
attack vectors, that when passed through the top 10 content products
produced over 800 individual vulnerabilities (needless to point out that
there are a lot more than 10 products in this arena).

When we approached Mitre in regard to organising CVE numbers, it was clear
that there were far too many issues to allocate individually, so it was
agreed to pursue the same route as the SNMP issue from several years ago
(http://www.cert.org/advisories/CA-2002-03.html) and group them into
manageable chunks; this is what produced the broad category based
advisories. The use of the categories then isn't an attempt to assume credit
for anyone else's work (if such exists), but to manage the volume of issues
identified.

In regard to the 3APA3A white paper itself, it is true that there is some
overlap with the Corsaire advisory categories. However the actual test cases
provided to the vendors (plus unpublished advisories) contain literally
dozens of issues that are not documented within the 3APA3A white paper at
all. If anyone were to claim that the 3APA3A white paper is in any way
complete, fully researched and definitive, it would simply be untrue.

Regards,
Martin O'Neal
Colsaire (chopped cabbage & onion; pirate style)








Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ