RE: Dangerous information in CentraOne log files - VENDOR RESPONSE

[zedfly () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

On 12/7/01, an e-mail was sent to 7 different address @ Centra, four of these e-mail addresses were obtained directly 
from Centra's website; the remaining three addresses, taken from RFP's Policy, were added for completeness.  On 
12/17/01, ten days later, without a response from Centra, the posting was submitted to VulnWatch, BugTraq and NTBugTraq.

The vulnerability described in the original posting is contained in the version available for download their website.  
Per Centra's response, they have chosen not to temporarily remove it until a fix is available.  Anyone evaluating this 
software may install a vulnerable version and it is, therefore, highly recommended that you consider postponing any 
evaluations, and purchase decisions until Centra has made a non-vulnerable version available for download.  ...And 
you've ascertained whether or not they have actually fixed it.

As I'm sure you all know, one of the reasons vulnerability announcements are made is to test a company's effectiveness 
at dealing with security issues, one can learn a lot about how well you'll be supported this way.


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlsEARECABsFAjwrqvgUHHplZGZseUBodXNobWFpbC5jb20ACgkQUqpz3LoqFkl8dACe
KyJM7lptQGnO3+8ICPj2KdBhQhkAoIxQlpP4zlW3cJspfxkt33oWGbR3
=IWEc
-----END PGP SIGNATURE-----