[VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay)
Steve Tornio
steve at vitriol.net
Thu Feb 15 19:01:40 EST 2007
Steven M. Christey wrote:
> Well, I just got another email from the developer asking me to remove the
> X-Force item that was apparently deleted (which we won't, because of
> historical reasons, not to mention that the dispute is still pending), and
> to change the description because it doesn't match what SECUNIA:19075
> says. But it says "The security issue has been confirmed in version
> 4.2.20... Update to version 4.2.22." Which sure sounds to me like there
> used to be an issue and now there isn't. Does anybody know of a changelog
> entry?
>
> I eagerly await their reply.
>
> By the way - does anybody record retracted disputes? We have "* DISPUTED
> *" in the description only while the dispute is active, but I know we've
> had a number of retractions.
>
> - Steve
>
We got the same message. I removed the ISS entry, because on our side,
the broken link doesn't do us much good. I'll happily re-add it if the
entry re-appears. Google cache still has the entry, and it's basically
the same information as what we both have.
I asked him to clarify his problem between Secunia's description and
ours. I can't imagine we'll be moved by his arguments. Sullo posted a
changelog entry earlier that indicated they added ineffective encryption
in 4.2.21 and then fixed the encryption for 4.2.22.
Steve
osvdb.org
More information about the VIM
mailing list