subject:"\[Full\-disclosure\] Secunia published adviso withoutrespectingrelease date \!"

Re: [Full-disclosure] Secunia published adviso withoutrespectingrelease date !

2005-07-16 Thread Xavier Beaudouin



Le 16 juil. 05 à 03:59, Jerome Athias a écrit :


2 things i remind myself...

1) http://seclists.org/lists/vulndiscuss/2004/Dec/0006.html


Yes. I received this one. But I still don't agree that Secunia didn't  
take the time to inform The Caudium Group *before* sending this  
advisory to security lists.


This is _not_ fair and positivement a bad way to be *respected* on  
security advisory.


This also the reason why we decided (we = caudium group) to close bug  
tracker at sourceforge to avoid false information to be sent.


Usualy the idea is :

bug/security problems found - draft of advisory is sent to  
developpers to get more accurate information - time to make a fix -  
advisory is sent


Secunia has just taken a bug from our tracker *without* telling the  
Caudium Group that are taking this for makeing a advisory, and just  
sent it to security lists with _false_ information.


I still consider that this is half done work and they are not nice  
people when they make advisory.


So because of that half done work, all Caudium Group developpers now  
don't trust anymore Secunia. I am sorry for them, but this is the way  
they make the advisory without contacting authors that give us this  
situation.


2) This is an answer of Thomas before a disclosure of some vuln  
that Secunia found at the same time :


10/09/2004 19:40

Re: OpenOffice World-Readable Temporary Files Disclose Files to  
Local Users


Hi Jérôme,

This issue was originally discovered by Secunia on 16th August and
reported to the vendors.

Please do not forward to anyone else. The various vendors well release
updates on Wednesday in a co-ordinated disclosure.

Kind regards,


They didn't get so smarter with us. We still don't accept this fact.
If they where so smart we still trust them. They were not so they are
their own victim of their half work for Caudium group advisory.

/Xavier

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secunia published adviso withoutrespectingrelease date !

2005-07-16 Thread Jerome Athias


2 things i remind myself...

1) http://seclists.org/lists/vulndiscuss/2004/Dec/0006.html

2) This is an answer of Thomas before a disclosure of some vuln that Secunia 
found at the same time :


10/09/2004 19:40

Re: OpenOffice World-Readable Temporary Files Disclose Files to Local Users

Hi Jérôme,

This issue was originally discovered by Secunia on 16th August and
reported to the vendors.

Please do not forward to anyone else. The various vendors well release
updates on Wednesday in a co-ordinated disclosure.

Kind regards,

Thomas

On Fri, 2004-09-10 at 17:31, [EMAIL PROTECTED] wrote:

Date:  Thu, 9 Sep 2004 23:52:18 -0400
Subject:  http://www.openoffice.org/issues/show_bug.cgi?id=33357
Reporter: pmladek
OS:  Linux
Version:  OOo 1.1.2
Summary:  Insecure permissions on temporary files at runtime
 When OOo is started, a directory /tmp/sv.tmp is created, where
RAND is a 3 character random string. The permissions of this directory 
allow other users (depending on the user's

umask) to 'cd' to this directory and list the contents.
 Once a file is saved, a zipped file is created in /tmp/sv.tmp and the
name of the file follows the same convention. The permissions of the file
allow others (depending on the user's umask) to read the content.
 Due to this any user can grab sensitive information of someother user.
 Steps to reproduce the problem:
1. Launch OpenOffice.
2. List /tmp contents. Locate the directory 'sv*.tmp'
3. Type in some contents in the document and save it.
4. List the contents of the directory /tmp/sv*.tmp/
5. Do not cl
 ose OpenOffice. 'su' to a different user.
6. Copy the file under /tmp/sv*.tmp/ to home directory.
7. Use 'unzip' to unzip the files.
8. The file content.xml holds the data the user had just saved.
 The workaround is to set more secure umask. The problem is that the users 
does
not know about it. Why should they need to set more strict umask if they 
save
its data in a directory which has the correct permissions. They do not 
expect


Regards,
Jérôme ATHIAS
---
that there are any world-readable temporary data available somewhere on 
the system.






--
Kind regards,

Thomas Kristensen
CTO

Secunia
Toldbodgade 37B
1253 Copenhagen K
Denmark

Tlf.: +45 7020 5144
Fax:  +45 7020 5145



So, express your opinion, but either they want exclusivity, either they 
respect the majority of the time the full-disclosure policy


My 0,01€
/JA

**
http://www.secunia.fr


- Original Message - 
From: Xavier Beaudouin [EMAIL PROTECTED]

To: [EMAIL PROTECTED]@class101.org
Cc: full-disclosure@lists.grok.org.uk
Sent: Thursday, July 14, 2005 12:59 PM
Subject: Re: [Full-disclosure] Secunia published adviso 
withoutrespectingrelease date !



This is usual with secunia..

I had at bug in a beta version of software and they release a
vulnerability to *all* version of this software
without even inform the maintainer (me) of this pseudo advisory.

My thought with this guys are now : don't even trust them... They
push advisory without testing and respect the
usual way to inform developper as it should.

My 0,02€
/xavier
Le 13 juil. 05 à 23:45, [EMAIL PROTECTED] [EMAIL PROTECTED] a écrit :


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Then don't send to Secunia b4 the rls date ! HUH


- -Message d'origine-
De : [EMAIL PROTECTED] [mailto:full- 
[EMAIL PROTECTED] De la part de Eric Romang  Envoyé : 
mardi 12 juillet 2005 21:09 À : [EMAIL PROTECTED] Cc : 
full-disclosure@lists.grok.org.uk; Eric Romang Objet : [Full- disclosure] 
Secunia published adviso without respectingrelease date !



Hello,

This adviso are published on your website, but the patch are not
already ok.
I have contact upstream today, before you release the adviso, so they
could react.

As you  can see in the adviso, the release date was not given 

http://secunia.com/advisories/16040/
http://secunia.com/advisories/16040/
http://secunia.com/advisories/16038/

You release adviso without respect the normal process to publish  adviso.

This guy is monitoring my /adviso/ folder.

80.161.200.182

I think this guy is working for you.

So please say to him to respect the normal process in a security
process.

Regards.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2rc2 (MingW32)

iQIVAwUBQtWLU6+LRXunxpxfAQL+1w/+IE947ec5TVHTUox8RC5JCSSAkk+C3GTf
wAvkTzYoN7p0LLgFOGmf0oZUQytxQ1QKjgRSv0WeHM3sh/ZX3E33l6z+1aPwLOsO
asJDVVYHoxJMTbxccO01dM724UvANPvfO68Y3YHOIcZupJQhzuIqIR8u+clUwwpc
M7bToYBMaQbyGKCPuBpVdUqK8DVuXj9Q/+Fz8G+2kvEfM/leGhkOh55AWqcQyyJ0
YMEYFz4pxoR7HnYvMbxh3GLdRda0YhQj12uNw29VacLDmlYJ9JEIp2skfuk/nMM/
CMoVGMHz+HbOhBJTOYoLvqVUcPB9rahXNxgRHas/z8gydFUYzY8IXF5oWlAnw6UQ
XrAYR9EvEJaXFO+FqDAoppEnvfv7NNm+dzs5yZCZM1cKel028Zg95sKkzjoAnqZA
CfVke2I7/0nFX3gnq/Ka54reKKKk0U732zwV1RFqanmaVueCsmoj8IhbL

Re: [Full-disclosure] Secunia published adviso withoutrespectingrelease date !

Re: [Full-disclosure] Secunia published adviso withoutrespectingrelease date !

2 matches

Site Navigation

Mail list logo

Footer information