SOLDIERX.COM Nobody Can Stop Information Insemination

Posted by Georgi Guninski on Apr 23

Completely disagree.

IMHO nobody should bother negotiating with terrorist vendors.

Q: What responsibility vendors have?
A: Zero. Check their disclaimers.

Posted by Gregory Boddin on Apr 23

That's indeed not rocket science.

Nobody should release their disclosure/exploit (or give hint about it) in
the wild before letting the vendor fix it.

There's already enough blackhats out there selling/using those.

I sure hope I am not the only person in the list who wishes responsible

Posted by Henri Salo on Apr 23

I did not dislike the message. I believe they are making some good research.

Point of contacting vendor is to get the issues fixed without creating
unnecessary security risks to users of the program.

To quote Jay: "just because of the lack of testing so far" so now he knows I can
help if needed. You are free to ignore my emails if you concider them as a spam.
I sure hope I am not the only person in the list who wishes responsible...

Posted by Georgi Guninski on Apr 23

please don't spam your opinion on every message you dislike.

counterspam: if you ask me, don't notify the vendor unless there is
some good external reason.

Posted by Jann Horn on Apr 23

Thanks for all the replies. I sent a mail with details to a german
Vodafone employee who said he'll take care of it.

Jann

Posted by Alexander Georgiev on Apr 23

If its urgend: Try looking someone up in xing and contact him. Keywords
vodafone, eschborn and maybe Cisco asa (they use them). Always works for me.

Am 22. April 2013 15:10:19 schrieb Jann Horn <jann () thejh net>:

Posted by Yves-Alexis Perez on Apr 22

-------------------------------------------------------------------------
Debian Security Advisory DSA-2663-1 security () debian org
http://www.debian.org/security/ Yves-Alexis Perez
April 22, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : tinc
Vulnerability : stack based buffer overflow
Problem...

Posted by MustLive on Apr 22

Hello list!

I want to inform you about multiple vulnerabilities in multiple plugins for
WordPress with jPlayer. These are Cross-Site Scripting and Content Spoofing
and vulnerabilities.

I've wrote about vulnerabilities in jPlayer earlier
(http://seclists.org/fulldisclosure/2013/Apr/192). jPlayer is used in
multiple web applications and particularly in multiple plugins for
WordPress. Google dork for jPlayer shows 32000 results and for WP...

Posted by Jeffrey Walton on Apr 22

I usually use both secure () example com and security () example com One is
specified in an RFC (see below), the other was popularized by
Microsoft around the same time the RFC was being assembled.

There are few other addresses published in RFC2142
(http://www.ietf.org/rfc/rfc2142.txt). I usually try them too for good
measure.

You also have the Technical and Administrative contacts from the WHOIS
database (...

Posted by security on Apr 22

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:150
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : mysql
Date : April 22, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple...

Posted by security on Apr 22

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:149
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : roundcubemail
Date : April 21, 2013
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

A...

Posted by security on Apr 22

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:148
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : roundcubemail
Date : April 21, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:...

Posted by kaveh ghaemmaghami on Apr 22

That was my mistake (publicly disclosure issues before notifying to the
vendor ) hope you don't wanna experience my mistake
you can also report to vul () secunia com for your discovery and coordination
on your behalf
Regards
Kaveh

Posted by Henri Salo on Apr 22

Please follow responsible disclosure and report issues first to the vendor and
go public after waiting for a fix (or no reply). VLC usually replies to
important issues very fast. Please contact me in case you need a hand in
communication.

---
Henri Salo

Posted by jay van on Apr 22

if VLC media player is launched in QT mode and the user is on windows NT
(any version of windows so far as tested) connected to the internet there
is a vulnerability in the handling of unicast packets. The Proof of concept
code is in development and should be ready for publishing within the next 2
weeks. More in depth vulnerability information will be released with the
proof of concept. This is a joint effort (the POC (proof of concept) code
and...

Posted by Jann Horn on Apr 22

Hello,
does anyone know how I can contact Vodafone Security (preferably a
Germany-specific group because I have no idea whether the issue
affects people in other countries, too)?

I sent a mail to security () vodafone de and it didn't bounce (in case
someone from Vodafone is reading this: it was sent from my old
address jannhorn () googlemail com). In the mail, I told them to reply
within two weeks, and that was 2013-03-28. Well, I got no...

Posted by NoSuchCon on Apr 22

Hello list,

It is a real pleasure to announce the final & exceptional lineup for
NoSuchCon 2013, which will happen in Paris next month. Thank you to all
of you who submitted this year – we had a hard time selecting top notch
content only, as we have been overwhelmed with quality research papers.

Now do not miss this opportunity to gather with fellow hackers from all
around the world, and grab your tickets here while they are hot:...

Posted by Nahuel Grisolia on Apr 22

Hi all!

I would like to introduce you to `Coliseum101 - Security Conferences Calendar´. The URL is: http://coliseum101.com

You'll find the best -well known- security conferences around the globe, with some additional info about them, etc.

There's a place for sponsors too, so just shoot me an email if you're interested in being there.

I know that there are some other websites with kind-of-the-same info, however, the idea is...

Posted by Steve on Apr 22

---- 44Café: The vendor-free event returns tomorrow!

44Café is the free vendor-free one-day event taking place upstairs at
O'Neill's, 326 Earl's Court Road, London on the 23rd of April. We'll
have talks, beer and free bacon butties to give away. If you're tired of
vendors at the main exhibition or you want to meet up with friends
before BSides London (http://www.securitybsides.org.uk/) this is the
place to be! All...

Posted by Benji on Apr 22

It was a perfect example of a largely deployed application which utilises security engineers, and has pushed
patches/code which was ineffective. My point was that bugs like that are a lot easier to sort in a design or
development stage than after the fact when remediation time is tight, and that a 'QA' process of any type will not make
up for developer mistakes.

Sent from my iPhone.