[Secure-testing-team] Re: iDEFENSE Security Advisory [IDEF1202] Multiple Vendor wget/curl NTLM Buffer Overflow Vulnerability

Noèl Köthe noel at debian.org
Thu Oct 13 08:33:31 UTC 2005 

Hello,

FYI from wget:

Debian stable doesn't have this problem because NTLM is a new feature in
wget 1.10 (http://svn.dotsrc.org/repo/wget/tags/WGET_1_10_1/NEWS see *
Changes in Wget 1.10.) and sarge has 1.9.x

It is a problem in etch/sid.
Until now no reaction from upstream.

Am Mittwoch, den 12.10.2005, 16:15 -0400 schrieb vendor-disclosure:
> iDEFENSE has identified an NTLM Buffer Overflow Vulnerability in
> wget/curl. This vulnerability was submitted to iDEFENSE through our
> Vulnerability Contributor Program:
> 
> 	http://www.idefense.com/poi/teams/vcp.jsp
> 
> iDEFENSE Labs has validated this vulnerability and has drafted the
> attached advisory. In accordance with our vendor disclosure policy 
> 
> 	http://www.idefense.com/legal_disclosure.jsp
> 
> We would request that you acknowledge receipt of this initial
> notification within five business days so that we may begin the process
> of coordinating an appropriate public disclosure date for this issue
> that will provide your company with adequate time to develop a patch or
> workaround to mitigate this vulnerability. If you have questions
> regarding this issue or require further details to assist with your own
> analysis, please do not hesitate to contact us.
> 
> It is always our goal to coordinate on the public disclosure of
> patches/advisories as quickly as possible after a vulnerability is
> discovered. If however a reasonable timeframe cannot be agreed upon for
> this issue, it will be publicly released in 60 days on 12/12/2005.
> iDEFENSE is willing to work with a vendor to find a mutually agreeable
> release date beyond this timeframe so long as the vendor continues to
> make good faith efforts to produce patches in a timely fashion and
> regularly informs iDEFENSE of their progress in doing so.
> 
> Please note that if the affected product is included within other
> applications and/or operating systems, iDEFENSE will not be coordinating
> disclosure of the vulnerability to affected third parties. We would ask
> that you handle this coordination separately.
> 
> Regards,
> Michael Sutton
> 
> Michael Sutton
> Director, iDEFENSE Labs
> iDEFENSE
> 1875 Campus Commons Drive, Suite 210
> Reston, VA 20191
> direct: 703.480.5628
> voice: 703.390.1230
> fax: 703.390.9456
> msutton at idefense.com
> www.idefense.com

-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051013/407e51bc/attachment.pgp

More information about the Secure-testing-team mailing list