RE: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
ISS notified Check Point on 2/2/2004, and Check Point made their update for the FW-1 HTTP issue on 2/4/2004. It is our policy to only release public information when the affected vendor has published information and/or released a fix. Check Point only released one fix on 2/4/2004, not two fixes to address both issues. As stated in the ISS VPN-1 Advisory, Check Point no longer supports the VPN-1 4.1 line, and recommends that customers upgrade to NG. ------------------ Daniel Ingevaldson Director, X-Force R&D dsi@iss.net 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Steven M. Bellovin Sent: Thursday, February 05, 2004 2:56 PM To: Rubens Kuhl Jr. Cc: nanog@merit.edu Subject: Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 In message <02e501c3ec1f$9a833fe0$020ba8c0@NOTEBOOK>, "Rubens Kuhl Jr." writes:
Isn't it curious that two unrelated issues have been reported to CheckPoint at the same day and the patches came out on the same day ? Am I too paranoid, or it seems that CheckPoint had previous knowledge of the bugs and they agreed with ISS which date would be stated as notification to CP to make it appears that a quick response (two days) has been achieved on those issues ?
Why is that bad? I have no objection to giving vendors a reasonable amount of time to fix problems before announcing the whole. Or is your point that two days hardly seems like enough time to develop -- and *test* -- a fix? --Steve Bellovin, http://www.research.att.com/~smb
participants (1)
-
Ingevaldson, Dan (ISS Atlanta)