Re: [Proftpd-user] [Proftpd-devel] A new Secunia advisory
--===============0627730693==
Content-Type: multipart/alternative;
boundary="=====================_125233906==.ALT"
--=====================_125233906==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 03:32 PM 11/28/2006, Francesco P. Lovergine wrote:[color=blue]
>[url]http://secunia.com/advisories/23141/[/url]
>
>But for contents, it would be nice knowing if full disclosure is at
>least done after contacting developers :-/[/color]
I'm inclined to wonder myself at the timeliness of the notifications
by this "reliable researcher".
[url]http://archives.neohapsis.com/archives/dailydave/2006-q4/0230.html[/url]
"If you think that I never report my bugs to vendors - I do that, sometimes."
(I wonder who asked the question? credibility problems from elsewhere?)
Follow the link in the Secunia report at
[url]http://secunia.com/advisories/23141/[/url] to
[url]http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050935.html[/url]
IV. CREDIT
Discovered by Evgeny Legerov.
The vulnerability is a part of VulnDisco Pack Professional since
Jan, 2006.
Uh, part of his commercial for-sale package since January? And he's
notifying developers now?
[url]http://elegerov.blogspot.com/[/url]
But here he says he notified developers of now patched bug on Nov
17. Then says first version of his package was Nov 07. Then
mentions finding the latest bug months ago, mentioning it on Oct 05.
And on Nov 12 he apparently directly forbids anyone from notifying
the developers, in responding to Matus, saying that purchasers must
respect the license
[url]http://www.gleg.net/vulndisco_professional_license.shtml[/url]
which says in part:
"Purchaser is not allowed to disclose the Pack in whole or
partly, to disclose any information concerning the Pack or
any information derived from the Pack."
which says to me that even if the ProFTPD development team had
purchased the VulnDisco Pack Professional at USD2299 plus USD559 per
quarter they couldn't risk, uh, disclosing fixes derived from the,
uh, paid-for package?
So he _might_ disclose, but others _can't_ disclose, so unless he
wants to brag, nobody can know? This cat-n-mouse smells fishy.
--=====================_125233906==.ALT
Content-Type: text/html; charset="us-ascii"
<html>
<body>
<font size=3>At 03:32 PM 11/28/2006, Francesco P. Lovergine wrote:<br>
<blockquote type=cite class=cite cite="">
<a href="http://secunia.com/advisories/23141/" eudora="autourl">
http://secunia.com/advisories/23141/</a><br><br>
But for contents, it would be nice knowing if full disclosure is at<br>
least done after contacting developers :-/</font></blockquote><br>
I'm inclined to wonder myself at the timeliness of the notifications by
this "reliable researcher".<br><br>
<a href="http://archives.neohapsis.com/archives/dailydave/2006-q4/0230.html" eudora="autourl">
http://archives.neohapsis.com/archives/dailydave/2006-q4/0230.html<br>
</a>"If you think that I never report my bugs to vendors - I do
that, sometimes."<br>
(I wonder who asked the question? credibility problems from
elsewhere?)<br><br>
Follow the link in the Secunia report at
<a href="http://secunia.com/advisories/23141/" eudora="autourl">
http://secunia.com/advisories/23141/</a> to<br>
<a href="http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050935.html" eudora="autourl">
http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050935.html</a>
<br>
IV. CREDIT<br>
Discovered by Evgeny Legerov.<br>
The vulnerability is a part of VulnDisco Pack
Professional since Jan, 2006.<br><br>
Uh, part of his commercial for-sale package since January? And he's
notifying developers now?<br><br>
<a href="http://elegerov.blogspot.com/" eudora="autourl">
http://elegerov.blogspot.com/</a><br>
But here he says he notified developers of now patched bug on Nov
17. Then says first version of his package was Nov 07. Then
mentions finding the latest bug months ago, mentioning it on Oct
05.<br><br>
And on Nov 12 he apparently directly forbids anyone from notifying the
developers, in responding to Matus, saying that purchasers must respect
the license <br>
<a href="http://www.gleg.net/vulndisco_professional_license.shtml" eudora="autourl">
http://www.gleg.net/vulndisco_professional_license.shtml</a><br>
which says in part:<br>
"Purchaser is not allowed to disclose the Pack in
whole or <br>
partly, to disclose any information concerning
the Pack or <br>
any information derived from the
Pack."<br>
which says to me that even if the ProFTPD development team had purchased
the VulnDisco Pack Professional at USD2299 plus USD559 per quarter they
couldn't risk, uh, disclosing fixes derived from the, uh, paid-for
package?<br><br>
So he _might_ disclose, but others _can't_ disclose, so unless he wants
to brag, nobody can know? This cat-n-mouse smells fishy.</body>
</html>
--=====================_125233906==.ALT--
--===============0627730693==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
[url]http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV[/url]
--===============0627730693==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ProFTPD Users List <proftpd-users@proftpd.org>
Unsubscribe problems?
[url]http://www.proftpd.org/list-unsub.html[/url]
--===============0627730693==--
