ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
Ingevaldson, Dan (ISS Atlanta)
dsi at iss.net
Fri Feb 6 20:39:56 UTC 2004
ISS notified Check Point on 2/2/2004, and Check Point made their update
for the FW-1 HTTP issue on 2/4/2004. It is our policy to only release
public information when the affected vendor has published information
and/or released a fix.
Check Point only released one fix on 2/4/2004, not two fixes to address
both issues. As stated in the ISS VPN-1 Advisory, Check Point no longer
supports the VPN-1 4.1 line, and recommends that customers upgrade to
NG.
------------------
Daniel Ingevaldson
Director, X-Force R&D
dsi at iss.net
404-236-3160
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Steven M. Bellovin
Sent: Thursday, February 05, 2004 2:56 PM
To: Rubens Kuhl Jr.
Cc: nanog at merit.edu
Subject: Re: ISS X-Force Security Advisories on Checkpoint Firewall-1
and VPN-1
In message <02e501c3ec1f$9a833fe0$020ba8c0 at NOTEBOOK>, "Rubens Kuhl Jr."
writes:
>
>
>
>Isn't it curious that two unrelated issues have been reported to
>CheckPoint at the same day and the patches came out on the same day ?
>Am I too paranoid, or it seems that CheckPoint had previous knowledge
>of the bugs and they agreed with ISS which date would be stated as
>notification to CP to make it appears that a quick response (two days)
>has been achieved on those issues ?
Why is that bad? I have no objection to giving vendors a reasonable
amount of time to fix problems before announcing the whole. Or is your
point that two days hardly seems like enough time to develop -- and
*test* -- a fix?
--Steve Bellovin, http://www.research.att.com/~smb
More information about the NANOG
mailing list