In message <20021113044904.GA6374@alcove.wittsend.com>, "Michael H. Warfield" w
rites:
Haven't seen mention of this yet today and DNS affects most everyone in
some way. The advisory was released a day early according to FreeBSD
security officer.
Just to reiterate (I realize, in my haste, I forgot to include
a reference or a quote in my earlier message)...
Here is a quote from Vixie on Slashdot:
] "ISS and ISC worked together on this. ISS found the
] vulns, ISC worked with the vendors, and both of us
] worked with CERT and coordinated the announcements.
]=20
] Paul Vixie
] Chairman, ISC"
Doesn't sound like "released a day early" to me.
CERT said that the ISS advisory was to be released on 13 November, and
that the patch would be available from ISC next week. There was no
indication about when CERT itself was going to issue an advisory, but
clearly someone said something a day earlier than had been expected.
--Steve Bellovin, error (me)
http://www.wilyhacker.com ("Firewalls" book)
CERT said that the ISS advisory was to be released on 13 November, and
that the patch would be available from ISC next week. There was no
indication about when CERT itself was going to issue an advisory, but
clearly someone said something a day earlier than had been expected.
Cool... That nails it then. CERT had it wrong. I think
Paul notified CERT, but I could be easily wrong on that and will verify...
Thanks!
--Steve Bellovin, error (me)
http://www.wilyhacker.com ("Firewalls" book)
Mike
This does beg the question (not that I hold *you* responsible!)
why the advisory had to come out before the patch. Does anyone
know whether the news had escaped to the blackhats? Otherwise
I cannot understand the rationale.
Barney
This does beg the question (not that I hold *you* responsible!)
why the advisory had to come out before the patch. Does anyone
know whether the news had escaped to the blackhats? Otherwise
I cannot understand the rationale.
Barney
Asking the wrong person on at one. And by that, I mean both
Steve (who has nothing to do with it) and myself (I'm the Senior Researcher
and Fellow at ISS, so I guess I do have something to do with it). ISS was
under the impression that the patches and new sources WOULD be available
when we released. We released as agreed upon and they weren't. What
can I say...
> CERT said that the ISS advisory was to be released on 13 November, and
> that the patch would be available from ISC next week. There was no
> indication about when CERT itself was going to issue an advisory, but
> clearly someone said something a day earlier than had been expected.
Cool... That nails it then. CERT had it wrong. I think
Paul notified CERT, but I could be easily wrong on that and will verify...
Checked it out. We notified CERT (Paul or ISC may have as well,
I don't know about that). Here is what we sent them...
] -----Original Message-----
] From: Ingevaldson, Dan (ISS Atlanta)
] Sent: Monday, November 11, 2002 5:40 PM
] To: 'CERT Coordination Center'
] Subject: ISS advisory
]
] Team-
]
] This information was provided to us by ISC today on issues that ISS X-Force discovered. We will be releasing our security advisory tomorrow. Any questions regarding this material should be directed to the ISC security contact.
> <<bind_security_11082002.tar.gz.pgp>> > > <<bind_security_11082002.txt.pgp>>
Regards,
Dan Ingevaldson
Team Lead, X-Force R&D
dsi@iss.net
404-236-3160
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net/>
Note the date... Note that we said "tomorrow". Note that it
was also 5:40 PM EST. I'll accept that the choice of terminology
probably led to the confusion, especially considering the late time.
If they processed the message on the 12th and didn't look at the date
in our notice then they could easily have gotten their date wrong.
I'll mention it to Dan that we should never use relative date
terminology in notices like this and to stick with absolute dates,
even if it is "tomorrow".
I wonder if we need to start timestamping some of our notices
in addition to PGP signing them... Another topic, another time...
Sigh...
Thanks!
> --Steve Bellovin, error (me)
> http://www.wilyhacker.com ("Firewalls" book)
Regards,
Mike