Micheal, Full disclosure is good, but it's pretty standard procedure to contact the developer directly first and issue the vulnerability report to the public when a fix is ready. Even if this vulnerability was not rated critical I still think you should have followed this procedure. As this issue was discussed on this list yesterday(!) under a subject that didn't make it obvious, you can't expect Fritz to have issued a fix by today. Fritz never commented that thread and you can't always expect a fix to be ready in 1 day (even if we have a fix ready now).
Lars ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
