Dailydave mailing list archives

NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months

From: Paul Wouters <paul () xelerance com>
Date: Mon, 14 Nov 2005 14:45:45 +0100 (CET)



NISCC's achievement this time:

- do not release vulnerability information to open source vendors prior to
  release. Just tell them they cannot have the information for 4 months.
- try to postpone another 3 months, but getting their hands forced by CERT-FI
- do not list vendors impacted in their announcement.
- do not request a CVE.
- give the public absolutely no information on the vulnerability and
  whether they are impacted or need to urgently upgrade or not.

I sincerilly hope NISCC's infrastructure somewhere, somehow, depends on a
Linux or BSD machine that will be DOSed by this, and their manager will soon
become their PM.

See how it impacted us:

http://lists.openswan.org/pipermail/announce/2005-November/000008.html

Morons,

Paul

Current thread:

NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Paul Wouters (Nov 14)
- Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Dave Aitel (Nov 14)
  - Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Paul Wouters (Nov 14)
  - Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Florian Weimer (Nov 14)
    - Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Adam Shostack (Nov 14)
    - Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Florian Weimer (Nov 14)
- Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Paul Wouters (Nov 14)
  - Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months Adam Shostack (Nov 14)