Full Disclosure mailing list archives

Re: ZDI-07-006: Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability

From: "Jason Areff" <hailtheczar () gmail com>
Date: Wed, 24 Jan 2007 17:35:54 -0600

On 1/24/07, Christian Kujau <lists () nerdbynature de> wrote:


On Wed, 24 Jan 2007, zdi-disclosures () 3com com wrote:
> -- Disclosure Timeline:
> 2005.07.07 - Pre-exiting Digital Vaccine released to TippingPoint
> customers
> 2006.10.02 - Vulnerability reported to vendor
> 2007.01.24 - Coordinated public release of advisory

out of curiosity: why took it 1+ year to report this vulneralbility to
the vendor?

Where do you see 1+ year? *Pre-existing* means there already existed a
"vaccine" that blocked vulnerabilities of this type released in '05. This
does not necessarily mean that was when ZDI received the bug submission. So
it was reported to the vendor in October and released to the public in
January... 4 months is not an outstanding patch time.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

ZDI-07-006: Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability zdi-disclosures (Jan 24)
- Re: ZDI-07-006: Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability Christian Kujau (Jan 24)
  - Re: ZDI-07-006: Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability Jason Areff (Jan 24)
    - Re: ZDI-07-006: Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability Col (Jan 25)