North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1

  • From: Ingevaldson, Dan (ISS Atlanta)
  • Date: Fri Feb 06 15:56:16 2004

ISS notified Check Point on 2/2/2004, and Check Point made their update
for the FW-1 HTTP issue on 2/4/2004.  It is our policy to only release
public information when the affected vendor has published information
and/or released a fix.

Check Point only released one fix on 2/4/2004, not two fixes to address
both issues.  As stated in the ISS VPN-1 Advisory, Check Point no longer
supports the VPN-1 4.1 line, and recommends that customers upgrade to

Daniel Ingevaldson
Director, X-Force R&D
[email protected] 
Internet Security Systems, Inc.
The Power to Protect

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Steven M. Bellovin
Sent: Thursday, February 05, 2004 2:56 PM
To: Rubens Kuhl Jr.
Cc: [email protected]
Subject: Re: ISS X-Force Security Advisories on Checkpoint Firewall-1
and VPN-1 

In message <[email protected]>, "Rubens Kuhl Jr."
>Isn't it curious that two unrelated issues have been reported to 
>CheckPoint at the same day and the patches came out on the same day ?
>Am I too paranoid, or it seems that CheckPoint had previous knowledge 
>of the bugs and they agreed with ISS which date would be stated as 
>notification to CP to make it appears that a quick response (two days) 
>has been achieved on those issues ?

Why is that bad?  I have no objection to giving vendors a reasonable
amount of time to fix problems before announcing the whole.  Or is your
point that two days hardly seems like enough time to develop -- and
*test* -- a fix?

		--Steve Bellovin,