| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Oct 2006 09:23:28 -0500 From: <cdejrhymeswithgay@...h.com> To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>, <ge@...uxbox.org> Subject: Re: Yahoo! Messenger Service 18 Remote Buffer Overflow Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 25 Oct 2006 04:30:18 -0500 Gadi Evron <ge@...uxbox.org> wrote: >> >> Does anyone have more information on this issue? >> > >Yes. SecuriTeam is currently assisting a researcher with reporting >this >issue to Yahoo! security. > >Yahoo! security responded in record time, as they often do, and >are >working to resolve this potential security vulnerability. > >An official report with full credit to the researcher who >discovered it >will be released when the incident has been resolved. > >A similar vulnerability was reported on the mailing lists a few >months >ago, which has not been fixed. SecuriTeam assisted the researcher >and >Yahoo! responded and fixed the issue in a matter of a day. Yahoo! >are very >capable with security vulnerabilities in their software. > >Thanks, > > Gadi. > >> ----snip---- >> http://www.securityfocus.com/bid/20625/discuss >> Yahoo! Messenger is prone to a remote buffer-overflow >vulnerability >> because it fails to properly bounds-check user-supplied data >before >> copying it to an insufficiently sized memory buffer. >> >> This vulnerability allows remote attackers to execute arbitrary >machine >> code in the context of the affected application. Failed exploit >attempts >> will likely crash the server, denying further service to >legitimate >> users. >> >> Yahoo! Messenger 8 with Voice is vulnerable. >> ----snip---- >> >> >> I could not find this vulnerability reported on any other place >than >> bugtraq (say Secunia, iDefense, ISC). >> >> >> Thanks, >> >> - Siddhartha >> > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ So how fast is this "record time?" As fast as Hitler's Blitzkrieg tactics? That's pretty fast! -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkVAxOAACgkQsGS6s78KOsUFYgP9G7XHXYQvFrxyD7Bg7L+QXqAnfgiw U8y4uD3M0jNJ6V+SwY5DZRPMOkAyRWHDRWh6okaLcVJf4e+urRroB8sAxfUZuHbI5EZd wt9hCXlbTmRTNGp4cT7FQyPaVGN69xFcsjpFXfN2t8H73UWi1voJ6Ag1k5W8cPP0g4P3 AVhAf00= =xmAy -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists