At 01:45 PM 8/25/2004 -0400, [EMAIL PROTECTED] wrote: >CDE libDtHelp LOGNAME Buffer Overflow Vulnerability
>US-CERT Vulnerability Note VU#575804, detailing the original attack >vectors is available at: > >http://www.kb.cert.org/vuls/id/575804 >iDEFENSE has confirmed the existence of this vulnerability in Solaris 8 >and Solaris 9 without the patches provided for in Sun Alert 57414. >VIII. DISCLOSURE TIMELINE > >03/04/2004 Initial vendor contact > (Opengroup.org) >03/04/2004 iDEFENSE clients notified >03/31/2004 Initial vendor response > (Opengroup.org - further coordination requested) >04/19/2004 Initial vendor contact > (Hewlett-Packard, IBM, and Sun Microsystems) >04/19/2004 Initial vendor response (Sun Microsystems) >04/20/2004 Initial vendor response (Hewlett-Packard) >08/25/2004 Public disclosure I am confused. Sun patched this on 30 April. HP Patched as recently as February. IBM in November. The last change to the CERT VN was 4 November. Why "disclose" this now? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
