[VIM] Minimizing error cascades in vulnerability information management

George A. Theall theall at tenablesecurity.com
Tue Nov 7 16:02:32 EST 2006


Steven M. Christey wrote:

> Most of the recent disclosures for a WebSphere XSS issue
> (CVE-2006-2431) mention the "faultfactor" element, including the NISCC
> report, the ProCheckUp announcement, and various vulnerability
> databases.
> 
> However, ProCheckUp's announcement also shows the vulnerable output:
> 
>   <faultactor>
> 
> i.e., "actor" not "factor".

And while we're on the subject, I noticed that both SecurityFocus and
Secunia claim incorrectly that the issue is resolved with Cumulative Fix
10 for the 5.1 series. [CVE doesn't mention that 5.1 is affected; it
is.] The fix was meant to be included in that Fix but didn't actually
make it until Cumulative Fix 12; ie, see:

  http://www-1.ibm.com/support/search.wss?rs=0&q=PK26181&apar=only

I did verify that Cumulative Fix 12 did indeed correct the problem.

George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list