Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities Vendor Notification Schedule: Vendor notified - 2/2/2004 Checkpoint patch developed and made available - 2/4/2004 ISS X-Force Advisory released - 2/4/2004 Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow Vendor Notification Schedule: Vendor notified - 2/2/2004 Checkpoint patch developed and made available - 2/4/2004 ISS X-Force Advisory released - 2/4/2004 Isn't it curious that two unrelated issues have been reported to CheckPoint at the same day and the patches came out on the same day ? Am I too paranoid, or it seems that CheckPoint had previous knowledge of the bugs and they agreed with ISS which date would be stated as notification to CP to make it appears that a quick response (two days) has been achieved on those issues ? Rubens ----- Original Message ----- From: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net> To: <nanog@merit.edu> Sent: Thursday, February 05, 2004 1:32 AM Subject: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Nanog- ISS X-Force release two X-Force Security Advisories this evening detailing high-risk issues in Checkpoint Firewall-1 and VPN-1. Please refer to the following URLs for more information: http://xforce.iss.net/xforce/alerts/id/162 http://xforce.iss.net/xforce/alerts/id/163 ------------------ Daniel Ingevaldson Director, X-Force R&D dsi@iss.net 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net