RE: Tech reporting...

["Paul Melson" <pmelson () gmail com>]

I didn't hear Lynn's talk, so I can't say what he did or didn't say in the
context of Black Hat.  However, I interpret that quote, specifically the
language "buffer-overflow vulnerability," to refer to the IPv6 vulnerability
that Lynn apparently referenced in his presentation.  Cisco did release an
advisory for this vulnerability almost immediately after the fact.
(http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml)

As to whether or not Cisco intended to fix this bug without disclosing it to
the public is another issue, and perhaps a matter of interpretation of the
events.  

PaulM

PS - An interesting exercise for the reader might be to look at things like
build dates and release dates for IOS ED versions that are not vulnerable to
this bug.  There might be clues as to when Cisco started fixing this
problem.


-----Original Message-----
Subject: [Dailydave] Tech reporting...

" Joseph Klein, senior security analyst at the aerospace electronic systems
division for Honeywell Technology Solutions, said he helped arrange a
meeting between government IT professionals and Lynn after the talk. Klein
said he was furious that Cisco had been unwilling to disclose the
buffer-overflow vulnerability in unpatched routers. "I can see a
class-action lawsuit against Cisco coming out of this," Klein said. "

(source:http://www.computerworld.com/securitytopics/security/story/0,10801,1
03539p2,00.html)

So does this imply Cisco silently fixed bugs, and Lynn scorned them for that
? For all I see, the story is getting more and more confusing.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave