Full Disclosure mailing list archives

Re: iDEFENSE Security Advisory 08.25.04:

From: Anonymous <cripto () ecn org>
Date: Thu, 26 Aug 2004 09:37:00 +0200 (CEST)

At 01:45 PM 8/25/2004 -0400, idlabs-advisories () idefense com wrote:

CDE libDtHelp LOGNAME Buffer Overflow Vulnerability

US-CERT Vulnerability Note VU#575804, detailing the original attack
vectors is available at:

http://www.kb.cert.org/vuls/id/575804

iDEFENSE has confirmed the existence of this vulnerability in Solaris 8
and Solaris 9 without the patches provided for in Sun Alert 57414.

VIII. DISCLOSURE TIMELINE

03/04/2004   Initial vendor contact
            (Opengroup.org)
03/04/2004   iDEFENSE clients notified
03/31/2004   Initial vendor response
            (Opengroup.org - further coordination requested)
04/19/2004   Initial vendor contact
            (Hewlett-Packard, IBM, and Sun Microsystems)
04/19/2004   Initial vendor response (Sun Microsystems)
04/20/2004   Initial vendor response (Hewlett-Packard)
08/25/2004   Public disclosure



I am confused. Sun patched this on 30 April. HP Patched as recently as February. IBM in November.  The last change to 
the CERT VN was 4 November.

Why "disclose" this now?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: iDEFENSE Security Advisory 08.25.04: Anonymous (Aug 26)