lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] Re: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor


From: Thomas Dickey
Subject: [Lynx-dev] Re: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Date: Fri, 28 Oct 2005 15:06:22 -0400 (EDT)

On Fri, 28 Oct 2005, vendor-disclosure wrote:

Thomas,

Thank you for responding. Please let us know how you'd like to proceed.

Well, I need to know the technical details, to see what type of fix is needed, how it is tested, etc. Given the context in which your email arrived, I'm expecting to have to patch 2.8.5 and the current version. Without seeing the report, I can't make an estimate on how long it takes to fix, but would like to deal with it now.

btw - address@hidden hasn't been used for several years (1998),
and address@hidden since early 2004.


Michael

-----Original Message-----
From: vendor-disclosure [mailto:address@hidden
Sent: Thursday, October 27, 2005 1:53 PM
To: address@hidden
Cc: vendor-disclosure
Subject: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx
Command Injection Vulnerability

The attached advisory and email was originally submitted on 09/08/2005, but
a response has not yet been received. In accordance with our vendor
disclosure policy (http://www.idefense.com/legal_disclosure.jsp) we will
proceed with public disclosure of this issue if acknowledgement of receipt
is not received within five business days.

Regards,
Michael Sutton

Michael Sutton
Director, iDEFENSE Labs
iDEFENSE
1875 Campus Commons Drive, Suite 210
Reston, VA 20191
direct: 703.480.5628
voice: 703.390.1230
fax: 703.390.9456
address@hidden
www.idefense.com

-----Original Message-----
From: vendor-disclosure [mailto:address@hidden
Sent: Thursday, September 08, 2005 11:50 PM
To: address@hidden
Cc: vendor-disclosure
Subject: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx
Command Injection Vulnerability

The message below bounced.

-----Original Message-----
From: vendor-disclosure [mailto:address@hidden
Sent: Thursday, September 08, 2005 11:27 PM
To: address@hidden
Cc: vendor-disclosure
Subject: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command
Injection Vulnerability

iDEFENSE has identified a Command Injection vulnerability in Lynx. This
vulnerability was submitted to iDEFENSE through our Vulnerability
Contributor Program:

        http://www.idefense.com/poi/teams/vcp.jsp

iDEFENSE Labs has validated this vulnerability and has drafted the
attached advisory. In accordance with our vendor disclosure policy

        http://www.idefense.com/legal_disclosure.jsp

We would request that you acknowledge receipt of this initial
notification within five business days so that we may begin the process
of coordinating an appropriate public disclosure date for this issue
that will provide your company with adequate time to develop a patch or
workaround to mitigate this vulnerability. If you have questions
regarding this issue or require further details to assist with your own
analysis, please do not hesitate to contact us.

It is always our goal to coordinate on the public disclosure of
patches/advisories as quickly as possible after a vulnerability is
discovered. If however a reasonable timeframe cannot be agreed upon for
this issue, it will be publicly released in 60 days on 11/08/2005.
iDEFENSE is willing to work with a vendor to find a mutually agreeable
release date beyond this timeframe so long as the vendor continues to
make good faith efforts to produce patches in a timely fashion and
regularly informs iDEFENSE of their progress in doing so.

Please note that if the affected product is included within other
applications and/or operating systems, iDEFENSE will not be coordinating
disclosure of the vulnerability to affected third parties. We would ask
that you handle this coordination separately.

Regards,
Michael Sutton

Michael Sutton
Director, iDEFENSE Labs
iDEFENSE
1875 Campus Commons Drive, Suite 210
Reston, VA 20191
direct: 703.480.5628
voice: 703.390.1230
fax: 703.390.9456
address@hidden
www.idefense.com


--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net




reply via email to

[Prev in Thread] Current Thread [Next in Thread]