Next Page >>
scheduled
05/03/2009 - Vendor provides status update (having problems
reproducing the reported vulnerability).
06/03/2009 - Additional details and crash dump provided to vendor.
22/05/2009 - Vendor provides status update (still investigating).
12/08/2009 - Vendor provides status update (vulnerability confirmed).
24/09/2009 - Vendor provides status update (scheduled for December).
29/10/2009 - Vendor provides status update (still scheduled for
December, but may slip to February 2010).
18/12/2009 - Vendor provides status update (scheduled for March 2010).
12/02/2010 - Vendor provides status update (scheduled for April).
04/03/2010 - Vendor provides status update (scheduled for April).
release. Vendor requests an updated version of the advisory, and to
include a vendor statement.
. 2010-07-22:
Core requests an update on the status of the vulnerability report; and
informs that publication of its advisory has been rescheduled to August
10, 2010, despite the fact that Core did not receive any updates. Core
informs that the publication of this advisory is transferred to a new
case manager.
. 2010-08-04:
6) Time Table
14/07/2009 - Vendor notified.
14/07/2009 - Vendor response.
20/08/2009 - Vendor provides status update.
24/09/2009 - Vendor provides status update (scheduled for fall 2009).
29/10/2009 - Vendor provides status update (scheduled for March 2010).
28/05/2010 - Vendor provides status update (slipped from March 2010
release and now scheduled for August 2010).
02/06/2010 - Vendor provides status update.
23/07/2010 - Vendor provides status update (slipped from August 2010
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco Unified CallManager version 4.1(3)SR8 contains fixes for all
vulnerabilities affecting Cisco Unified CallManager version 4.1
listed in this advisory, and is scheduled to be released in early
October 2008.
Cisco Unified CallManager version 4.2(3)SR4b contains fixes for all
vulnerabilities affecting Cisco Unified Communications Manager
version 4.2.x listed in this advisory, and is scheduled to be
9. *Report Timeline*
. 2009-08-12:
Core Security Technologies notifies the HP Software Security Response
Team (SSRT) of the vulnerability and preliminary schedule to publish the
corresponding security advisory on September 8th 2009. Core asks for
acknowledgement of the email within 2 working days and whether HP SSRT
prefers to receive the technical description of the bug encrypted or in
plaintext.
April 14th, 2008.
. 2008-03-13: Vendor acknowledges notification.
. 2008-03-31: Core requests information concerning Microsoft's plans to
fix the vulnerability (no reply received).
. 2008-04-16: Core requests again information concerning Microsoft's
schedule to produce a fix. The advisory publication is rescheduled for
May 12th, 2008.
. 2008-04-25: Vendor informs that they are wrapping up the investigation
and threat model analysis and that fixes will not be included in the
Word Security Bulletin of May. Vendor estimates that it will take a few
months to produce and test a fix for the vulnerability. Vendor promises
08/12/2009 - Vendor provides status update.
29/01/2010 - Vendor provides status update.
30/04/2010 - Vendor provides status update (tentatively targetting
August 2010).
23/07/2010 - Vendor provides status update (slipped from August 2010
release and now scheduled for November 2010).
04/11/2010 - Vendor provides status update (slipped from November 2010
release and now scheduled for December 2010).
08/11/2010 - Vendor informed that this is the final deadline.
14/12/2010 - Public disclosure.
09/07/2009 - Vendor notified.
09/07/2009 - Vendor response.
15/08/2009 - Vendor provides status update.
25/09/2009 - Vendor provides status update.
11/01/2010 - Status update requested.
11/01/2010 - Vendor provides status update (scheduled for May 2010).
30/04/2010 - Vendor provides status update (slipped from May 2010
release and now tentatively targetting August 2010).
23/07/2010 - Vendor provides status update (slipped from August 2010
release and now tentatively targetting November 2010).
11/08/2010 - Vendor provides status update.
08/12/2009 - Vendor provides status update.
29/01/2010 - Vendor provides status update.
30/04/2010 - Vendor provides status update (tentatively targetting
August 2010).
23/07/2010 - Vendor provides status update (slipped from August 2010
release and now scheduled for November 2010).
04/11/2010 - Vendor provides status update (slipped from November 2010
release and now scheduled for December 2010).
08/11/2010 - Vendor informed that December is the final deadline.
14/12/2010 - Public disclosure.
29/06/2007 - Vendor notified via e-mail.
03/07/2007 - Vendor notified via online support form.
05/07/2007 - Vendor response.
25/09/2007 - Vendor informs that fix will be implemented in next
release scheduled for December 2007.
04/12/2007 - Vendor informs that release of fixed version is pushed to
February 2008.
18/01/2008 - Contacted by QA Manager and offered to test beta release.
22/01/2008 - Vendor contacted to acknowledge that vulnerability is
fixed in beta release.
09/07/2009 - Vendor response.
25/09/2009 - Vendor provides status update.
30/04/2010 - Vendor provides status update (tentatively targetting
August 2010).
23/07/2010 - Vendor provides status update (slipped from August 2010
release and now scheduled for November 2010).
04/11/2010 - Vendor provides status update (slipped from November 2010
release and now scheduled for December 2010).
08/11/2010 - Vendor informed that December is the final deadline.
14/12/2010 - Public disclosure.
Vulnerable IP SLA Source Device Configurations
+---------------------------------------------
An IP SLA source device is a Cisco IOS device that has at least one
IP SLA operation configured. To be vulnerable a probe originator
needs to have at least one scheduled probe that uses either of the
following IP SLA operations:
* udp-jitter probe
* udp-echo
. 2010-10-28:
Core Security Technologies resends the last e-mail, unilaterally
rescheduling the publication of this advisory to November 8th 2010,
which is closer to Cisco's initial estimation for the release of a fix.
Core states its willingness to reschedule this publication date but only
under firm commitment from Cisco to working seriously towards fixing
this issue in a scheduled timeframe. An updated advisory draft is
attached which includes an updated timeline.
. 2010-10-30:
publication date.
. 2010-09-28:
Apple acknowledges the comunication informing that this issue will be
fixed in the next security update of Mac OS X 10.5, which is tentatively
scheduled for the end of October without a firm date of publication.
. 2010-08-31:
Apple asks Core about credit information for the advisory.
. 2010-09-28:
*Report Timeline*
. *2007-10-16*: Initial contact email sent to the VMware Security Team
notifying discovery of a Priority 1 vulnerability in accordance to the
vendor's security policy [9]. A draft security advisory describing the
problem is available. Public disclosure of the vulnerability is scheduled
on November 5th, 2007.
. *2007-10-17*: Vendor acknowledges notification, provides public key and
requests a draft of the security advisory .
. *2007-10-17*: Core sends the draft advisory.
. *2007-10-19*: Vendor indicates it will be able to address the issue in
Core asks MSRC if it is still on track to release patches on February
10th, 2009.
. 2009-01-09:
MSRC responds that the out-of-band fix released in December [6] took a
lot of the resources that were assigned to February's release schedule
and will not be able to meet the February release date. MSRC informs the
next available release date would be April 14th, 2009.
. 2009-03-23:
Core asks MSRC if it is still on track to release fixed versions on
there is no information available about how or when it will be fixed.
2007-10-17: Email from Core’s Security advisories team requesting a status
update and indicating that the original date planned for publication of
the advisory has already passed without any communication from IBM
regarding the issue, let alone any concrete plans to fix the bug. The
publication date for Core's security advisory has been re-scheduled for
October 30th, 2007. The date remains flexible on the basis of receiving
concrete and specific details about availability of fixes by Wednesday,
October 24th. An up to date copy of the security advisory provided for
comments and suggested workarounds.
2007-10-23: Email from Lotus Notes Security indicating that a ticket had
29/06/2007 - Vendor notified via e-mail.
03/07/2007 - Vendor notified via online support form.
05/07/2007 - Vendor response.
25/09/2007 - Vendor informs that fix will be implemented in next
release scheduled for December 2007.
04/12/2007 - Vendor informs that release of fixed version is pushed to
February 2008.
18/01/2008 - Contacted by QA Manager and offered to test beta release.
22/01/2008 - Vendor contacted to acknowledge that vulnerability is
fixed in beta release.
6) Time Table
05/07/2007 - Vendor notified.
05/07/2007 - Vendor response.
25/09/2007 - Vendor informs that fix will be implemented in next
release scheduled for December 2007.
04/12/2007 - Vendor informs that release of fixed version is pushed to
February 2008.
18/01/2008 - Contacted by QA Manager and offered to test beta release.
22/01/2008 - Vendor contacted (vulnerabilities not properly fixed in
provided beta release).
11/01/2010 - Vendor provides status update (tentatively targetting
May 2010).
30/04/2010 - Vendor provides status update (slipped from May 2010
release and now tentatively targetting August 2010).
23/07/2010 - Vendor provides status update (slipped from August 2010
release and now scheduled for November 2010).
04/11/2010 - Vendor provides status update (slipped from November 2010
release and now scheduled for December 2010).
08/11/2010 - Vendor informed that December is the final deadline.
14/12/200X - Public disclosure.
vendor has been able to reproduce the vulnerability and requests details
concerning the plan to release fixes and asks for the additional
information that the vendor would like to include in the advisory (in
the "vendor information" section). Core reminds the vendor that the
original publication date of the advisory was February 25th and states
that the publication of the advisory is now re-scheduled to March 24th
because fixed versions were not available at the date initially scheduled.
. 2008-03-25:
Vendor confirms that it reproduced and identified the vulnerability and
indicates that the official stance is that CitectSCADA is not designed
expected to be released ultimo September 2010.
02/08/2010 - Secunia confirms that the patch properly fixes the
reported vulnerability. Vendor informed that coordinated
disclosure date is set to 30th September 2010.
27/09/2010 - Status update requested to confirm that the vendor is
on-track for the scheduled disclosure date.
29/09/2010 - Vendor asks for disclosure to be delayed until hearing
back from the development team.
12/10/2010 - Status update requested. Disclosure date now set to 20th
October 2010.
19/10/2010 - Vendor provides status update.
longer.
30/11/2009 - Status update requested again.
30/11/2009 - Vendor response (coordinating with Adobe on recommending
users to install the latest version of Adobe Flash Player
instead).
07/12/2009 - Vendor informed that Secunia has scheduled the advisory
for disclosure on 12th January 2010.
15/12/2009 - Vendor response (more time requested along with draft of
Secunia advisory).
21/12/2009 - Draft of Secunia Research advisory sent to the vendor.
Vendor also informed that disclosure won't be postponed.
bug confirmation, expectations should be to allow for two business weeks
for an estimated timeline to resolution. Core's PGP/GPG key requested.
*2007-08-23*: Draft advisory and GPG public key sent to AOL's PVT.
*2007-08-31*: Acknowledgement from AOL confirming the existence of the
vulnerabilities in AOL's IM clients. AOL indicates that the development
and QA teams are working on fixes with an estimated release scheduled for
mid-October. Additionally, note that one of the IM clients requires
coordination with a third-party.
*2007-09-04*: Reply from Core, acknowledging the previous email from AOL
PVT. Release date for the advisory set to October 16th in accordance to
AOLs estimation. Core indicates that there is no indication of
======================================================================
3) Vendor's Description of Software
"Internet Download Manager (IDM) is a tool to increase download speeds
by up to 5 times, resume and schedule downloads. Comprehensive error
recovery and resume capability will restart broken or interrupted
downloads due to lost connections, network problems, computer
shutdowns, or unexpected power outages.".
Product Link:
bug confirmation, expectations should be to allow for two business weeks
for an estimated timeline to resolution. Core's PGP/GPG key requested.
*2007-08-23*: Draft advisory and GPG public key sent to AOL's PVT.
*2007-08-31*: Acknowledgement from AOL confirming the existence of the
vulnerabilities in AOL's IM clients. AOL indicates that the development
and QA teams are working on fixes with an estimated release scheduled for
mid-October. Additionally, note that one of the IM clients requires
coordination with a third-party.
*2007-09-04*: Reply from Core, acknowledging the previous email from AOL
PVT. Release date for the advisory set to October 16th in accordance to
AOLs estimation. Core indicates that there is no indication of
QuahogCon has two tracks:
* Information Security
* Maker Culture
Some topics may fit into both tracks, such as a hardware hack that exposes a security vulnerability. Choose one or both tracks when submitting your proposal and we'll figure it out when we make the schedule.
Information Security Track
We're looking for interesting presentations on new, original security research. It would be best to debut a whole new talk, but updates to existing recent work are perfectly acceptable, too. We're looking to hear from both new voices and the usual suspects. A minor amount of preference will be given to folks from the Northeast who have never presented at a con before, for whatever reason.
and that they are assessing the exploitability of the bug.
. 2009-09-08:
The Microsoft team informs Core that their analysis confirms the bug is
exploitable, and that it will be addressed in a security bulletin; that
they are still working on estimating a release schedule and identifying
other software products and versions affected by the issue; that they
believe that the scheduled publication date (November 17th) cannot be
met by a security update; and requests that Core postpones publication.
. 2009-09-14:
the impact for both guest and host machines.
. 2009-10-06:
Core Security Technologies requests an update on the issue. Core
Security Technologies also notifies the Vendor that November 16th is the
scheduled publication date but reminds that the date can be coordinated
with the vendor.
. 2009-10-08:
MSRC says that it is looking at the issue with priority, confirmed the
findings using the provided proof-of-concept tool but it is still
== DeepSec In-Depth Security Conference 2009 "TripleSec" ==
This is a reminder for the third DeepSec conference, taking place between
17th and 20th November at the Imperial Riding School Renaissance Hotel.
== Schedule ==
The schedule of all presentations can be found on our web site:
https://deepsec.net/schedule/
Random speaker and content from the schedule:
Next Page>>
|
