vendor/sec
. 2009-05-12:
Core notifies Apple Security Team that this is a multi-vendor issue
(affecting, for example, multiple Linux distributions), and asks if the
patch process of the CUPS vulnerability will be coordinated using the
vendor-sec mailing list [2].
. 2009-05-12:
Apple Product Security Team notifies Core they will contact vendor-sec
about this issue very soon and proposes to reschedule the advisory
publication date to June 2nd. The vendor also notifies the issue was
2009-09-04: vulnerability report received
2009-09-17: proof of concept received from reporter
2009-09-21: impact reviewed
2009-09-29: contacted poppler maintainer
2009-09-29: vendor-sec notified
2009-09-30: vendor-sec discussion expanded to include xpdf maintainer
2009-10-02: final fix agreed upon by both maintainers
2009-10-12: CVE assigned by Tomas Hoger of RedHat
2009-10-14: fixed Xpdf released
2009-10-18: fixed Poppler released
Various Linux vendors will issue patched versions soon.
======================================================================
6) Time Table
08/10/2008 - vendor-sec contacted.
08/10/2008 - vendor-sec replied.
13/10/2008 - Red Hat asks for additional information.
14/10/2008 - Reply sent to Red Hat.
22/10/2008 - Public disclosure.
Disclosure Timeline:
15. Aug 2008 - Sent notification to Joomla about the vulnerability
20. Aug 2008 - Resent notification because no reply from Joomla
20. Aug 2008 - Received confirmation
21. Aug 2008 - Received a forwarded message from vendor-sec discussing
the vulnerability - obviously Joomla shared our report
with vendor-sec without asking or notifying us.
21. Aug 2008 - In a reply to the forwarded message we recommended NOT
TO USE mt_srand for the password reset
03. Sep 2008 - On Joomla.org appears a blog post notifying their users
2008-08-19: initial patches for Horde and Popoon supplied by vendors.
2008-08-19: reporter calls out additional possible vectors in externalinput.php.
2008-08-20: secondary fixed for externalinput.php supplied.
2008-08-20: attempted to contact CakePHP.
2008-09-04: final Horde patches supplied.
2008-09-04: potentially affected oCERT members and vendor-sec notified.
2008-08-05: CVEs assigned.
2008-09-05: oCERT requests end of embargo to be Sep 10, 1700 UTC.
2008-09-06: contacted phlymail lite; confirmed unaffected.
2008-09-06: notified all secondary vendors above.
2008-09-06: acknowledgement from cakephp, noserub, phpmyfaq.
will be supplied.
22 November 2010 Cisco confirms fixes are available and started to
be deployed in current firmwares
28 December 2010 vendor-sec informed (among other issues)
05 February 2011 FreeBSD informed (made aware via vendor-sec 5 weeks
before)
20 February 2011 Juniper informed
Do not load untrusted images using the library.
======================================================================
6) Time Table
24/06/2010 - Vendor and vendor-sec notified.
11/08/2010 - Response on vendor-sec
11/08/2010 - Public disclosure.
======================================================================
7) Credits
The time line is as follows:
* Aug 29, 2007: Initial report from Rick King.
* Aug 29, 2007: First response from Samba developers confirming
the bug along with a proposed patch.
* Sep 4, 2007: Announcement to vendor-sec mailing list.
* Sep 11, 2007: Public security advisory made available.
==========================================================
2010-02-08: libwww-perl acknowledged the report, preliminary analysis for
the reported issues provided
2010-03-25: lftp 4.0.6 released
2010-05-05: libwww-perl-5.836 released
2010-05-10: contacted affected vendors
2010-05-14: failure reported during notification process of vendor-sec
list, notification re-sent
2010-05-17: advisory published
Permalink:
http://www.ocert.org/advisories/ocert-2010-001.html
======================================================================
6) Time Table
15/05/2008 - Vendor notified.
15/05/2008 - vendor-sec notified.
16/05/2008 - Vendor response.
28/05/2008 - Public disclosure.
======================================================================
7) Credits
======================================================================
6) Time Table
04/11/2009 - Vendor notified.
12/11/2009 - Second attempt to contact vendor. Also notified
vendor-sec mailing list.
13/11/2009 - Vendor response.
17/11/2009 - Public disclosure.
======================================================================
7) Credits
======================================================================
6) Time Table
22/11/2007 - Vendor notified.
22/11/2007 - vendor-sec notified.
23/11/2007 - Vendor response.
10/12/2007 - Public disclosure.
======================================================================
7) Credits
======================================================================
6) Time Table
17/10/2007 - Vendor notified.
22/10/2007 - vendor-sec notified.
19/10/2007 - Vendor response.
07/11/2007 - Public disclosure.
======================================================================
7) Credits
======================================================================
6) Time Table
26/03/2009 - Vendor notified.
26/03/2009 - vendor-sec notified.
17/04/2009 - Public disclosure.
======================================================================
7) Credits
Do not open untrusted DICOM files.
======================================================================
6) Time Table
27/11/2009 - Vendor and vendor-sec notified.
03/12/2009 - Vendor response.
04/12/2009 - Public disclosure.
======================================================================
7) Credits
Timeline:
2008-10-22: vulnerability report received
2008-11-11: failed to contact gnome-upstream privately (ml, bugs)
2008-11-27: contacted vendor-sec as gnome-upstream
2008-11-28: thoger confirms and assigns initial CVE
2008-11-29: flameeyes notes other potentially affected libraries
2008-12-05: thoger supplies glib patch expands scope to include eds, gst
2009-01-14: patch review by mclasen; thoger analysis eds, soup
2009-01-26: gst-plugins-base detailed analysis by thoger
======================================================================
6) Time Table
30/10/2007 - Vendor notified.
30/10/2007 - vendor-sec notified.
30/10/2007 - Vendor response.
15/11/2007 - Public disclosure.
======================================================================
7) Credits
Timeline:
2009-02-22: attempted to contact upstream via gtk-i18n-list@gnome.org
2009-02-25: bug filed with Mozilla against firefox
2009-03-02: Behdad Esfahbod patched Pango upstream for 1.24
2009-04-13: vendor-sec alerted regarding backporting the silent pango fix
2009-04-23: embargo date and CVE assigned (thanks Josh Bressers!)
2009-05-07: advisory released
References:
======================================================================
6) Time Table
26/03/2009 - Vendor notified.
26/03/2009 - vendor-sec notified.
02/04/2009 - Vendor response.
09/04/2009 - Public disclosure.
======================================================================
7) Credits
======================================================================
6) Time Table
23/10/2007 - Vendor notified.
23/10/2007 - vendor-sec notified.
24/10/2007 - Vendor response.
07/11/2007 - Public disclosure.
======================================================================
7) Credits
======================================================================
6) Time Table
16/10/2007 - Vendor notified.
22/10/2007 - vendor-sec notified.
31/10/2007 - Public disclosure.
======================================================================
7) Credits
======================================================================
6) Time Table
26/03/2009 - Vendor notified.
26/03/2009 - vendor-sec notified.
27/03/2009 - Vendor response.
17/04/2009 - Public disclosure.
======================================================================
7) Credits
|
