[26377] in bugtraq
Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT
daemon@ATHENA.MIT.EDU (VanDyke Technical Support)
Mon Jul 29 14:43:06 2002
Date: 29 Jul 2002 16:35:47 -0000
Message-ID: <20020729163547.8536.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: VanDyke Technical Support <support@vandyke.com>
To: bugtraq@securityfocus.com
In-Reply-To: <JIEPJGFPFMFIGBNCPKGGGEJHCLAA.bstrauss3@attbi.com>
We have released versions of SecureCRT that address this
vulnerability. This fix is available for ALL of our licensed
customers without charge. VanDyke Software recommends that all
users of SecureCRT upgrade immediately to the available versions.
Updated installers are available on our website:
Users who purchased SecureCRT licenses before January 1, 2000
(including users of SecureCRT 2.x) should upgrade to SecureCRT
3.2.2:
http://www.vandyke.com/download/securecrt/3.2/index.html
Users who purchased SecureCRT licenses before July 1, 2000
should upgrade to SecureCRT 3.3.4:
http://www.vandyke.com/download/securecrt/3.3/index.html
Users who purchased licenses on or after June 1, 20001 should
upgrade to SecureCRT 3.4.6 or SecureCRT 4.0 beta 3.
SecureCRT 3.4.6:
http://www.vandyke.com/download/securecrt/index.html
SecureCRT 4.0 beta 3:
http://www.vandyke.com/download/securecrt/beta.html
For more information about this vulnerability and VanDyke
Software's response to it, please visit our Security Advisory
page:
http://www.vandyke.com/products/securecrt/security07-25-02.html
If there are any questions related to these releases, please
send email to support@vandyke.com.
-Daniel Prevett
VanDyke Software Technical Support
support@vandyke.com
http://www.vandyke.com
>You know, that's only partially a solution. For those of us who haven't
>chosen to PAY for the upgrade to 3.4, we're left out in the cold.
Quoting
>from VanDyke's web page:
>
>"All users may evaluate SecureCRT 3.4 for 30 days free of charge.
Registered
>users who purchased licenses before July 1, 2000 should consult the
Upgrade
>Eligibility page to learn about licensing the 3.4 upgrade."
>
>and
>
>"SecureCRT Upgrade
>
>Registered users who purchased licenses before July 1, 2001 may choose to
>purchase SecureCRT upgrades starting at $39.95 for a single copy.
>
><snip />
>
>SecureCRT users who purchased licenses between January 1 and July 1, 2000
>are eligible to download SecureCRT 3.3.3 and upgrade without charge.
>SecureCRT users who purchased licenses before January 1, 2000 are
eligible
>to download SecureCRT 3.2.1 and upgrade without charge."
>
>
>I'm not unsympathetic to the need to have a licensing revenue stream, but
>let's remember that this leaves (dozens? hundreds? thousands? Just me) of
>your customers unprotected.
>
>-----Burton
