[67263] in North American Network Operators' Group
RE: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
daemon@ATHENA.MIT.EDU (Ingevaldson, Dan (ISS Atlanta))
Fri Feb 6 15:53:53 2004
Date: Fri, 6 Feb 2004 15:39:56 -0500
From: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net>
To: "Steven M. Bellovin" <smb@research.att.com>,
"Rubens Kuhl Jr." <rubens@email.com>
Cc: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
ISS notified Check Point on 2/2/2004, and Check Point made their update
for the FW-1 HTTP issue on 2/4/2004. It is our policy to only release
public information when the affected vendor has published information
and/or released a fix.
Check Point only released one fix on 2/4/2004, not two fixes to address
both issues. As stated in the ISS VPN-1 Advisory, Check Point no longer
supports the VPN-1 4.1 line, and recommends that customers upgrade to
NG. =20
------------------
Daniel Ingevaldson
Director, X-Force R&D
dsi@iss.net=20
404-236-3160
=20
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Steven M. Bellovin
Sent: Thursday, February 05, 2004 2:56 PM
To: Rubens Kuhl Jr.
Cc: nanog@merit.edu
Subject: Re: ISS X-Force Security Advisories on Checkpoint Firewall-1
and VPN-1=20
In message <02e501c3ec1f$9a833fe0$020ba8c0@NOTEBOOK>, "Rubens Kuhl Jr."
writes:
>
>
>
>Isn't it curious that two unrelated issues have been reported to=20
>CheckPoint at the same day and the patches came out on the same day ?
>Am I too paranoid, or it seems that CheckPoint had previous knowledge=20
>of the bugs and they agreed with ISS which date would be stated as=20
>notification to CP to make it appears that a quick response (two days)=20
>has been achieved on those issues ?
Why is that bad? I have no objection to giving vendors a reasonable
amount of time to fix problems before announcing the whole. Or is your
point that two days hardly seems like enough time to develop -- and
*test* -- a fix?
--Steve Bellovin, http://www.research.att.com/~smb
