That's fnnny because I know of three ( one was me ) people that notified
Napster of this problem on IRC and via LAN line.
----- Original Message -----
From: "Elias Levy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 30, 2000 1:51 PM
Subject: Napster, Inc. response to Colten Edwards
> ----- Forwarded message from Jordan Ritter <[EMAIL PROTECTED]> -----
>
> Date: Wed, 29 Mar 2000 13:50:05 -0800
> From: Jordan Ritter <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Napster, Inc. response to Colten Edwards
> Message-ID: <[EMAIL PROTECTED]>
>
> Aleph --
>
> I'm waiting for listserv to come through on my napster.com
> subscription to bugtraq, but it's lagging. Please push this
> through. Thanks.
>
> --jordan
>
> -----
>
> BugTraq readership:
>
> This email is in response to the recent post by Colten Edwards
> regarding a potential buffer overflow in the Napster client
> software.
>
> The Napster Win32 client software does contain an overflow in its
> messaging functionality, which includes public (chat) and private
> (IM) messaging. The overflow only affects users of the Win32
> Napster client, and could only be exploited through the use of a
> rogue Napster client in conjunction with a Napster server.
>
> Napster, Inc. reports NO indication that this vulnerability is
> being exploited, and further would like to assure the general
> public that the vulnerability is NOT an issue any longer.
>
> Approximately one hour after receiving the post from BugTraq,
> Napster's servers were patched to prevent this from occurring.
> Users of the Napster Win32 client software are NOT vulnerable.
>
> We would like to point out the unfortunate fact that we first
> learned of this issue through BugTraq. The discovery of the
> problem was apparently relayed briefly to the #napster channel on
> EFnet IRC by Colten Edwards, before being posted to this list
> approximately one hour later. Napster, Inc. was never notified of
> this issue via phone, email, or across any other effective channel
> of communication.
>
> This situation is particularly disturbing to us, as Mr. Edwards'
> malicious intent becomes painfully obvious from the tone and
> candor of his post. To the best of our knowledge, the general
> policy on BugTraq is that vendors should be notified of issues and
> given a reasonable amount of time to address the problem, so as to
> avoid unnecessary risk to the vendor's customers. A meaningful
> notification from Mr. Edwards and a small amount of patience would
> have resulted in a fix before the potential vulnerability put our
> users at risk. Of course, understanding the time frame involved
> and the intent of the post, we can only voice our dismay and
> disapproval of Mr. Edwards' actions.
>
> Thank you, and good day.
>
>
> Jordan Ritter
> Security Director
> Napster, Inc.
>
> Napster -- Music at Internet Speed
>
> ----- End forwarded message -----
>
> --
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/
>
