[21084] in bugtraq
Re: Cisco TFTPD 1.1 Vulerablity
daemon@ATHENA.MIT.EDU (Jim Duncan)
Tue Jun 19 00:48:37 2001
Message-Id: <200106182319.f5INJa425016@rtp-msg-core-1.cisco.com>
To: "Siberian" <siberian@splashpages.de>
Cc: bugtraq@securityfocus.com, psirt@cisco.com
Reply-To: psirt@cisco.com
In-Reply-To: Your message of "Mon, 18 Jun 2001 15:29:14 +0200."
<004601c0f7fa$acde2c20$0100007f@smax>
Date: Mon, 18 Jun 2001 19:21:03 -0400
From: Jim Duncan <jnduncan@cisco.com>
Siberian writes:
> [Sentry Research Labs - ID0201061701]
> (c) 2001 by www.sentry-labs.com
> [...]
> Topic:
> Security Bug in CISCO TFTPD server 1.1
>
> Vendor Status:
> Informed (06/17/01)
Just for the record, I checked with my teammates and can't find any
record that you contacted the Cisco Product Security Incident Response
Team (PSIRT). We're the group that handles vulnerabilities in all
Cisco products and we're easily reachable. It would've been more
helpful if you had contacted us privately beforehand and given us an
opportunity to make fixed code available before you posted the
vulnerability.
If you did contact someone at Cisco, could you let us know who that was
so we can follow up with that person? We'd like to make sure the
process works as best as it can. If I am in error, please correct me.
I have not yet validated the vulnerability, but will look into it as
soon as possible.
Regardless of the path the report took to get to us, we appreciate the
time and effort that goes into such reporting. Ultimately, everybody
benefits from full disclosure of product security vulnerabilities.
Thanks.
Jim
==
Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc.
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
E-mail: <jnduncan@cisco.com> Phone(Direct/FAX): +1 919 392 6209
