Re: IBM TFTP Server for Java vulnerability

[John Schultz <jschultz () coin org>]

As was pointed out to me in a private mail message, there was a month
between the vendor being contacted and the advisory being posted on
Bugtraq.  I misread the original message from Patrick and thought the
advisory had been released only a day after he contacted IBM, and not a
month.

While I feel the points in my original email are still valid, the tone of
my message was a bit harsher than necessary.  IBM probably could have
informed Patrick that a fix would be in an upcoming release, and Patrick
could have perhaps waited for that release to be announced before posting
his advisory.  Unfortunately, that didn't happen.

On Sat, 21 Jul 2001, John Schultz wrote:

> On Fri, 20 Jul 2001, Patrick Medhurst wrote:
> > The vendor was contacted on 19 June 2001 and responded on 20 June 2001
> > as follows:
> > "We will take a look at the issue and fix it as soon as possible".
> >
> > Further correspondence requesting when a fix will be released has been
> > ignored.
>
> Just because a company can't tell you immediately when a bug will be
> fixed, you say that you are being ignored and see fit to release an
> advisory?  Do you have any idea how easy the problem will be to fix?
> Probably not, and I bet IBM would have to do some research first, finding
> out what code contains the problem, allocating developers, build
> personnel, and QA the fix before even they know when a fix will be out.
> Sheesh.
>
> John Schultz
> jschultz () coin org