[VIM] new strategy for dealing with pesky vulnerabilities

security curmudgeon jericho at attrition.org
Mon Oct 8 06:00:51 UTC 2007


11/02/2004 Initial vendor notification
11/03/2004 Initial vendor response
12/19/2005 Second vendor notification
01/30/2007 Third vendor notification
01/30/2007 Third vendor response
04/25/2007 Status update requested
06/08/2007 Status update requested
07/24/2007 Status update requested
07/30/2007 Vendor stated product's support ended in 2002
08/06/2007 Vendor communicated their response
08/07/2007 Coordinated public disclosure

November 2, 2004, HP is informed of the vulnerability in HP-UX 11.11i. 
Almost three years later, HP says "product's support ended in 2002". Also 
from the advisory:

   Hewlett-Packard states that this product is obsolete and no longer
   supported. They have no plans to release a patch or advisory. They
   further stated that the version of HP-UX used to verify this
   vulnerability is also obsolete.

   "HP simply recommends that customers upgrade to a currently supported OS
   release and to some other tool, if one is available."

So it took HP almost three years to realize the software was no longer 
supported and say that is a solution?

More information about the VIM mailing list