[VIM] question about IRM advisory (fwd)

security curmudgeon jericho at attrition.org
Thu May 8 06:23:04 UTC 2008

And no reply since...

---------- Forwarded message ----------
From: security curmudgeon <jericho at attrition.org>
To: research at irmplc.com
Date: Wed, 30 Apr 2008 02:46:16 +0000 (UTC)
Subject: question about IRM advisory

In regards to:


First, it is extremely annoying that you make such "advisories" in a PDF format 
that does not allow cut-and-paste.

Second, under "Unauthorized Queue Access", it is unclear if this is describing 
a vulnerability in the software, a client misconfiguration or a 
misconfiguration that ships by default.

Third, you say that it is vulnerable to traffic sniffing, but then go on to say 
that it is vulnerable to "unauthorized decryption". Can you clarify if there is 
encryption available for traffic, but it is weak? Or is this in reference to 
encryption used on data not in transit?

In short, OSVDB is trying to determine how many real vulnerabilities are 
covered in this advisory in order to create tracking numbers in our database. 
In addition, it would be appreciated if IRM could request CVE 
(http://cve.mitre.org/) candidate numbers for the vulnerabilities found, so 
that there is an external standardized tracking number to help avoid this type 
of confusion.

Thank you,


More information about the VIM mailing list