[VIM] new strategy for dealing with pesky vulnerabilities
jericho at attrition.org
Mon Oct 8 06:00:51 UTC 2007
11/02/2004 Initial vendor notification
11/03/2004 Initial vendor response
12/19/2005 Second vendor notification
01/30/2007 Third vendor notification
01/30/2007 Third vendor response
04/25/2007 Status update requested
06/08/2007 Status update requested
07/24/2007 Status update requested
07/30/2007 Vendor stated product's support ended in 2002
08/06/2007 Vendor communicated their response
08/07/2007 Coordinated public disclosure
November 2, 2004, HP is informed of the vulnerability in HP-UX 11.11i.
Almost three years later, HP says "product's support ended in 2002". Also
from the advisory:
Hewlett-Packard states that this product is obsolete and no longer
supported. They have no plans to release a patch or advisory. They
further stated that the version of HP-UX used to verify this
vulnerability is also obsolete.
"HP simply recommends that customers upgrade to a currently supported OS
release and to some other tool, if one is available."
So it took HP almost three years to realize the software was no longer
supported and say that is a solution?
More information about the VIM