North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
ISS notified Check Point on 2/2/2004, and Check Point made their update for the FW-1 HTTP issue on 2/4/2004. It is our policy to only release public information when the affected vendor has published information and/or released a fix. Check Point only released one fix on 2/4/2004, not two fixes to address both issues. As stated in the ISS VPN-1 Advisory, Check Point no longer supports the VPN-1 4.1 line, and recommends that customers upgrade to NG. ------------------ Daniel Ingevaldson Director, X-Force R&D [email protected] 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Steven M. Bellovin Sent: Thursday, February 05, 2004 2:56 PM To: Rubens Kuhl Jr. Cc: [email protected] Subject: Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 In message <[email protected]>, "Rubens Kuhl Jr." writes: > > > >Isn't it curious that two unrelated issues have been reported to >CheckPoint at the same day and the patches came out on the same day ? >Am I too paranoid, or it seems that CheckPoint had previous knowledge >of the bugs and they agreed with ISS which date would be stated as >notification to CP to make it appears that a quick response (two days) >has been achieved on those issues ? Why is that bad? I have no objection to giving vendors a reasonable amount of time to fix problems before announcing the whole. Or is your point that two days hardly seems like enough time to develop -- and *test* -- a fix? --Steve Bellovin, http://www.research.att.com/~smb |