[Full-Disclosure] iDEFENSE Security Advisory 08.25.04:
Anonymous
cripto at ecn.org
Thu Aug 26 08:37:00 BST 2004
At 01:45 PM 8/25/2004 -0400, idlabs-advisories at idefense.com wrote:
>CDE libDtHelp LOGNAME Buffer Overflow Vulnerability
>US-CERT Vulnerability Note VU#575804, detailing the original attack
>vectors is available at:
>
>http://www.kb.cert.org/vuls/id/575804
>iDEFENSE has confirmed the existence of this vulnerability in Solaris 8
>and Solaris 9 without the patches provided for in Sun Alert 57414.
>VIII. DISCLOSURE TIMELINE
>
>03/04/2004 Initial vendor contact
> (Opengroup.org)
>03/04/2004 iDEFENSE clients notified
>03/31/2004 Initial vendor response
> (Opengroup.org - further coordination requested)
>04/19/2004 Initial vendor contact
> (Hewlett-Packard, IBM, and Sun Microsystems)
>04/19/2004 Initial vendor response (Sun Microsystems)
>04/20/2004 Initial vendor response (Hewlett-Packard)
>08/25/2004 Public disclosure
I am confused. Sun patched this on 30 April. HP Patched as recently as February. IBM in November. The last change to the CERT VN was 4 November.
Why "disclose" this now?
Full-Disclosure is hosted and sponsored by Secunia.