[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Ve

From: Ulf Harnhammar
Subject: Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Date: Mon, 31 Oct 2005 09:53:45 +0100

> Well it is clearly the same person who made the September reports,

I have nothing to do with the iDEFENSE/vade79 bug.

> which did not discuss nntp or command execution. Seems he didn't 
> bother to report his further findings to the list: it is not like 
> we were hard to find back in September.

I reported the NULL dereferencing bug and not security-related buffer overflows 
(with data from configuration files like lynx.cfg) in public in September, as I 
saw them as bugs and not as security vulnerabilities.

The NNTP bug in October was treated as a secret, with communication between the 
vendor and various distributors first, as I saw it as a vulnerability and as I 
and the others from the Debian Security Audit Project believe in responsible 
full disclosure.

Perhaps I should have posted something here about the NNTP bug when it was made 
public on the 17th.

// Ulf Harnhammar

Surf the Web in a faster, safer and easier way:
Download Opera 8 at

Powered by Outblaze

reply via email to

[Prev in Thread] Current Thread [Next in Thread]