Re: [Full-Disclosure] iDEFENSE Security Advisory 08.25.04:
Date: Thu Aug 26 2004 - 03:37:00 EDT
At 01:45 PM 8/25/2004 -0400, idlabs-advisories@idefense.com wrote:
>CDE libDtHelp LOGNAME Buffer Overflow Vulnerability
>US-CERT Vulnerability Note VU#575804, detailing the original attack
>vectors is available at:
>
>http://www.kb.cert.org/vuls/id/575804
>iDEFENSE has confirmed the existence of this vulnerability in Solaris 8
>and Solaris 9 without the patches provided for in Sun Alert 57414.
>VIII. DISCLOSURE TIMELINE
>
>03/04/2004 Initial vendor contact
> (Opengroup.org)
>03/04/2004 iDEFENSE clients notified
>03/31/2004 Initial vendor response
> (Opengroup.org - further coordination requested)
>04/19/2004 Initial vendor contact
> (Hewlett-Packard, IBM, and Sun Microsystems)
>04/19/2004 Initial vendor response (Sun Microsystems)
>04/20/2004 Initial vendor response (Hewlett-Packard)
>08/25/2004 Public disclosure
I am confused. Sun patched this on 30 April. HP Patched as recently as February. IBM in November. The last change to the CERT VN was 4 November.
Why "disclose" this now?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Thu Aug 26 09:23:02 2004
This archive was generated by hypermail 2.1.8 : Thu Aug 26 2004 - 10:08:58 EDT
