RE: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1

["Ingevaldson, Dan (ISS Atlanta)" <dsi () iss net>]

ISS notified Check Point on 2/2/2004, and Check Point made their update
for the FW-1 HTTP issue on 2/4/2004.  It is our policy to only release
public information when the affected vendor has published information
and/or released a fix.

Check Point only released one fix on 2/4/2004, not two fixes to address
both issues.  As stated in the ISS VPN-1 Advisory, Check Point no longer
supports the VPN-1 4.1 line, and recommends that customers upgrade to
NG.  

------------------
Daniel Ingevaldson
Director, X-Force R&D
dsi () iss net 
404-236-3160
 
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
Steven M. Bellovin
Sent: Thursday, February 05, 2004 2:56 PM
To: Rubens Kuhl Jr.
Cc: nanog () merit edu
Subject: Re: ISS X-Force Security Advisories on Checkpoint Firewall-1
and VPN-1 


In message <02e501c3ec1f$9a833fe0$020ba8c0@NOTEBOOK>, "Rubens Kuhl Jr."
writes:
> Isn't it curious that two unrelated issues have been reported to 
> CheckPoint at the same day and the patches came out on the same day ?
> Am I too paranoid, or it seems that CheckPoint had previous knowledge 
> of the bugs and they agreed with ISS which date would be stated as 
> notification to CP to make it appears that a quick response (two days) 
> has been achieved on those issues ?

Why is that bad?  I have no objection to giving vendors a reasonable
amount of time to fix problems before announcing the whole.  Or is your
point that two days hardly seems like enough time to develop -- and
*test* -- a fix?

                --Steve Bellovin, http://www.research.att.com/~smb