[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor
From: |
vendor-disclosure |
Subject: |
[Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability |
Date: |
Fri, 28 Oct 2005 15:18:04 -0400 |
Sorry, the report should have been attached to the last email. Let me know
if it doesn't arrive this time.
I have also attached a PoC exploit.
Michael
-----Original Message-----
From: Thomas Dickey [mailto:address@hidden
Sent: Friday, October 28, 2005 2:06 PM
To: vendor-disclosure
Cc: address@hidden
Subject: Re: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx
Command Injection Vulnerability
On Fri, 28 Oct 2005, vendor-disclosure wrote:
> Thomas,
>
> Thank you for responding. Please let us know how you'd like to proceed.
Well, I need to know the technical details, to see what type of fix is
needed, how it is tested, etc. Given the context in which your email
arrived, I'm expecting to have to patch 2.8.5 and the current version.
Without seeing the report, I can't make an estimate on how long it takes
to fix, but would like to deal with it now.
btw - address@hidden hasn't been used for several years (1998),
and address@hidden since early 2004.
>
> Michael
>
> -----Original Message-----
> From: vendor-disclosure [mailto:address@hidden
> Sent: Thursday, October 27, 2005 1:53 PM
> To: address@hidden
> Cc: vendor-disclosure
> Subject: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx
> Command Injection Vulnerability
>
> The attached advisory and email was originally submitted on 09/08/2005,
but
> a response has not yet been received. In accordance with our vendor
> disclosure policy (http://www.idefense.com/legal_disclosure.jsp) we will
> proceed with public disclosure of this issue if acknowledgement of receipt
> is not received within five business days.
>
> Regards,
> Michael Sutton
>
> Michael Sutton
> Director, iDEFENSE Labs
> iDEFENSE
> 1875 Campus Commons Drive, Suite 210
> Reston, VA 20191
> direct: 703.480.5628
> voice: 703.390.1230
> fax: 703.390.9456
> address@hidden
> www.idefense.com
>
> -----Original Message-----
> From: vendor-disclosure [mailto:address@hidden
> Sent: Thursday, September 08, 2005 11:50 PM
> To: address@hidden
> Cc: vendor-disclosure
> Subject: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx
> Command Injection Vulnerability
>
> The message below bounced.
>
> -----Original Message-----
> From: vendor-disclosure [mailto:address@hidden
> Sent: Thursday, September 08, 2005 11:27 PM
> To: address@hidden
> Cc: vendor-disclosure
> Subject: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx
Command
> Injection Vulnerability
>
> iDEFENSE has identified a Command Injection vulnerability in Lynx. This
> vulnerability was submitted to iDEFENSE through our Vulnerability
> Contributor Program:
>
> http://www.idefense.com/poi/teams/vcp.jsp
>
> iDEFENSE Labs has validated this vulnerability and has drafted the
> attached advisory. In accordance with our vendor disclosure policy
>
> http://www.idefense.com/legal_disclosure.jsp
>
> We would request that you acknowledge receipt of this initial
> notification within five business days so that we may begin the process
> of coordinating an appropriate public disclosure date for this issue
> that will provide your company with adequate time to develop a patch or
> workaround to mitigate this vulnerability. If you have questions
> regarding this issue or require further details to assist with your own
> analysis, please do not hesitate to contact us.
>
> It is always our goal to coordinate on the public disclosure of
> patches/advisories as quickly as possible after a vulnerability is
> discovered. If however a reasonable timeframe cannot be agreed upon for
> this issue, it will be publicly released in 60 days on 11/08/2005.
> iDEFENSE is willing to work with a vendor to find a mutually agreeable
> release date beyond this timeframe so long as the vendor continues to
> make good faith efforts to produce patches in a timely fashion and
> regularly informs iDEFENSE of their progress in doing so.
>
> Please note that if the affected product is included within other
> applications and/or operating systems, iDEFENSE will not be coordinating
> disclosure of the vulnerability to affected third parties. We would ask
> that you handle this coordination separately.
>
> Regards,
> Michael Sutton
>
> Michael Sutton
> Director, iDEFENSE Labs
> iDEFENSE
> 1875 Campus Commons Drive, Suite 210
> Reston, VA 20191
> direct: 703.480.5628
> voice: 703.390.1230
> fax: 703.390.9456
> address@hidden
> www.idefense.com
>
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
pub_Multiple Vendor Lynx Command Injection Vulnerability.txt
Description: Text document
This will create /tmp/lynx-test if
vulnerable.
test me