RE: Vendor Changelogs /Notifications

["Craig, Scott" <SCraig () kmart com>]

IMHO, I think you should take over the role of the vendor by posting to this
list.

1) If you discovered the vulnerability and can exploit it, verify that their
patch does indeed fix it.

2) Post to the mailing list(s) and mimic a vendor bulletin including
description, impact, severity, and note the fix/workaround. Also mention you
have a working exploit which will be published in a couple days.

3) Wait a couple days, post the detailed vulnerability information.

You may want to post to vuln-dev first, and get the results from other
people to see if there are other circumstances that affect whether or not
someone is vulnerable. Maybe someone else could have a twist on it as well.


> -----Original Message-----
> From: quentyn () fotango com [mailto:quentyn () fotango com] 
> Sent: Thursday, September 05, 2002 2:46 PM
> To: vuln
> Subject: Vendor Changelogs /Notifications
>
>
> This is really a generic query
>
> Is it appropriate to send notifications to public lists if 
> you spot that a vendor has fixed a serious security hole ( 
> mentioned only in the change log) but hasn't sent any 
> notification and doesn't have any notification on their site 
> ? Other than using the product ( and reading change logs) I 
> have had nothing to do with this issue.
>
> My concern is that people may continue to run the affected 
> version with out noticing that there is a fix. Certainly, 
> certain vendors appear to be quite good about posting to 
> bugtraq etc. al to inform of problems and fixes in their 
> products, others appear not so pro-active about informing people.
>
>
>
> Q
>
>
> -- 
> #####################
> Quentyn Taylor
> Sysadmin - Fotango
> #####################
> Never anger a dragon, for you are crunchy and good with ketchup.