Bugtraq mailing list archives
Re: Napster, Inc. response to Colten Edwards
From: drc () SOPHMAN COM (Danny Crawford)
Date: Thu, 30 Mar 2000 18:29:33 -0600
That's fnnny because I know of three ( one was me ) people that notified Napster of this problem on IRC and via LAN line. ----- Original Message ----- From: "Elias Levy" <aleph1 () SECURITYFOCUS COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Thursday, March 30, 2000 1:51 PM Subject: Napster, Inc. response to Colten Edwards
----- Forwarded message from Jordan Ritter <jpr5 () napster com> ----- Date: Wed, 29 Mar 2000 13:50:05 -0800 From: Jordan Ritter <jpr5 () napster com> To: aleph1 () securityfocus com Subject: Napster, Inc. response to Colten Edwards Message-ID: <20000329135005.A17554 () napster com> Aleph -- I'm waiting for listserv to come through on my napster.com subscription to bugtraq, but it's lagging. Please push this through. Thanks. --jordan ----- BugTraq readership: This email is in response to the recent post by Colten Edwards regarding a potential buffer overflow in the Napster client software. The Napster Win32 client software does contain an overflow in its messaging functionality, which includes public (chat) and private (IM) messaging. The overflow only affects users of the Win32 Napster client, and could only be exploited through the use of a rogue Napster client in conjunction with a Napster server. Napster, Inc. reports NO indication that this vulnerability is being exploited, and further would like to assure the general public that the vulnerability is NOT an issue any longer. Approximately one hour after receiving the post from BugTraq, Napster's servers were patched to prevent this from occurring. Users of the Napster Win32 client software are NOT vulnerable. We would like to point out the unfortunate fact that we first learned of this issue through BugTraq. The discovery of the problem was apparently relayed briefly to the #napster channel on EFnet IRC by Colten Edwards, before being posted to this list approximately one hour later. Napster, Inc. was never notified of this issue via phone, email, or across any other effective channel of communication. This situation is particularly disturbing to us, as Mr. Edwards' malicious intent becomes painfully obvious from the tone and candor of his post. To the best of our knowledge, the general policy on BugTraq is that vendors should be notified of issues and given a reasonable amount of time to address the problem, so as to avoid unnecessary risk to the vendor's customers. A meaningful notification from Mr. Edwards and a small amount of patience would have resulted in a fix before the potential vulnerability put our users at risk. Of course, understanding the time frame involved and the intent of the post, we can only voice our dismay and disapproval of Mr. Edwards' actions. Thank you, and good day. Jordan Ritter Security Director Napster, Inc. Napster -- Music at Internet Speed ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/
Current thread:
- Re: Local Denial-of-Service attack against Linux, (continued)
- Re: Local Denial-of-Service attack against Linux dapozza (Mar 24)
- Hide Drives does not work with OUTLOOK 98 - Summary of Answers (W InNT4) DeAvillez, Carlos (Mar 24)
- Windows 2000 Internet Server Security Configuration Tool Microsoft Security Response Center (Mar 24)
- Irix Objectserver remote exploit Marcy Abene (Mar 29)
- New ZZ v1.2 Simple Nomad (Mar 29)
- [RHSA-2000:008-01] ircii buffer overflow bugzilla () REDHAT COM (Mar 30)
- Microsoft Security Bulletin (MS00-019) Microsoft Product Security (Mar 30)
- Microsoft Security Bulletin (MS00-021) Microsoft Product Security (Mar 30)
- Napster, Inc. response to Colten Edwards Elias Levy (Mar 30)
- Cobalt apache configuration exposes .htaccess Paul Schreiber (Mar 30)
- Re: Napster, Inc. response to Colten Edwards Danny Crawford (Mar 30)
- Re: Napster, Inc. response to Colten Edwards Dylan Griffiths (Mar 30)
- Alert: MS Index Server (CISADV000330) Cerberus Security Team (Mar 30)
- Webstar 4.0 Buffer overflow vulnerability Ilhom Djalilov (Mar 31)
- Microsoft Security Bulletin (MS00-006) Microsoft Product Security (Mar 31)
- [ Cobalt ] Security Advisory -- 03.31.2000 Jeff Lovell (Mar 31)
- SalesLogix Eviewer Web App Bug: URL request crashes eviewer web application Todd Beebe (Mar 31)
- Windmail allow web user get any file Frankie Zie (Mar 25)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 26)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 31)