I manage product security at McAfee, of which Foundstone is a part. I am not
aware of releasing such an advisory, and am looking into this. Could we get
details regarding where this was found? Was this posted to a web site? A
security mailing list? And when was it posted? This may have a very different
meaning if it was published in 2001 or something like that. Alternately,
Foundstone produces a vulnerability management software, was this in a report
generated by that product?
As far as I know, we try to never make general sweeping statements about
products such as those quoted by the poster. Our statements are typically
regarding a single vulnerability, and extrapolating to the entire product is
not in our nature or in our customer's best interests. We want issues fixed,
not to argue about which specific platforms are better than other.
Additionally, we try to never release any vague reports such as the one I'd
seen. They are typically combined with additional details that would allow one
to determine their own risk, and we usually include a CVE number or another
common vulnerability identifier. Finally, we follow responsible disclosure,
and wouldn't issue an advisory without notifying the vendor prior.
I have the appropriate teams trying to track down from an internal standpoint,
but any help from the community, especially the original poster, would be
appreciated. If our statement or product wording is incorrect, we will
certainly rectify this.
Manager of Product Security
McAfee Security Architecture Group
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -