[VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay)

Steve Tornio steve at vitriol.net
Thu Feb 15 19:01:40 EST 2007

Steven M. Christey wrote:
> Well, I just got another email from the developer asking me to remove the
> X-Force item that was apparently deleted (which we won't, because of
> historical reasons, not to mention that the dispute is still pending), and
> to change the description because it doesn't match what SECUNIA:19075
> says.  But it says "The security issue has been confirmed in version
> 4.2.20...  Update to version 4.2.22."  Which sure sounds to me like there
> used to be an issue and now there isn't.  Does anybody know of a changelog
> entry?
> I eagerly await their reply.
> By the way - does anybody record retracted disputes?  We have "* DISPUTED
> *" in the description only while the dispute is active, but I know we've
> had a number of retractions.
> - Steve

We got the same message.  I removed the ISS entry, because on our side, 
the broken link doesn't do us much good.  I'll happily re-add it if the 
entry re-appears.  Google cache still has the entry, and it's basically 
the same information as what we both have.

I asked him to clarify his problem between Secunia's description and 
ours.  I can't imagine we'll be moved by his arguments.  Sullo posted a 
changelog entry earlier that indicated they added ineffective encryption 
in 4.2.21 and then fixed the encryption for 4.2.22.


More information about the VIM mailing list