One week is pretty shit hot in my not so very humble opinion, with at least a small basis in experience. Being a small dev team you can be exceedingly nimble, compared with even a medium-sized company...
Do you know when Core are going to publish their advisory?
They originally threatened to publish at the end of August (I think that was the "whether you like it or not" clause intended to force us to fix the problem in case we were thinking of sweeping it under the carpet), but when I said we'd have the fix out long before then they said they'd move the advisory forward. So it might well be out in the next few days.
Stuff was posted to the Full-Disclosure (http://lists.netsys.com/mailman/listinfo/full-disclosure) mailing list last night (http://lists.netsys.com/pipermail/full-disclosure/2004-August/024754.html).
I also remember that the formal advisory was posted to one of the many security-related mailing lists I'm on at some point last night, although I can't remember which one (may have been BugTraq, but I can't find any trace of it in their archives - its not FD I know that much).
Right, found it. It was posted to the Secunia advisories mailing list (http://secunia.com/secunia_security_advisories/) at some point last night; the advisory is available from here (http://secunia.com/advisories/12212/).
Hmmmm - useful stuff; they've got RSS feeds on LJ in the shape of secuniasecurity for advisories and secunia_viruses for virus alerts.
Hm, yes. That doesn't look like Core's advisory; that's just a translation into advisory format of the information on the PuTTY website. Though I suppose that's still useful, just for the benefit of people who watch advisory channels and expect to thereby be informed about what they need to upgrade.
The draft advisory Core sent me contained actual information about the precise problem (although it was somewhat incoherent - I'm vaguely hoping they'll let me send them additional text to help it make more sense), and that doesn't seem to have been published yet.
Well, Secunia do say that they are a clearing house for security adversies from all over the place so its not really surprising that they probably took the advisory from the PuTTY home page.
As for the Core advisory being a little incoherent, I'm not surprised given their track record on writing stuff which I've seen on FD and other places!
The Core advisory is now up (CORE-2004-0705), in case you're interested. Also I've published my own writeups of the two issues: vuln-modpow and vuln-ssh1-kex. I've mailed those links to both Core and Secunia, so with any luck they can issue revised versions of their advisories that actually say something useful.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Do you know when Core are going to publish their advisory?
I also remember that the formal advisory was posted to one of the many security-related mailing lists I'm on at some point last night, although I can't remember which one (may have been BugTraq, but I can't find any trace of it in their archives - its not FD I know that much).
Hmmmm - useful stuff; they've got RSS feeds on LJ in the shape of
The draft advisory Core sent me contained actual information about the precise problem (although it was somewhat incoherent - I'm vaguely hoping they'll let me send them additional text to help it make more sense), and that doesn't seem to have been published yet.
As for the Core advisory being a little incoherent, I'm not surprised given their track record on writing stuff which I've seen on FD and other places!