In 2004, NGSS reported a number of serious security issues in Sybase ASE to Sybase, which Sybase has released patches for: http://www.sybase.com/detail?id=1034520 NGSS advise all Sybase ASE customers to review the advice that Sybase provided in the alert above, and apply the relevant patches as soon as is practical. In line with our responsible disclosure policy, NGSS generally withhold technical information about vulnerabilities for three months after the vendor has provided a patch. NGSS do this in order to ensure that customers have sufficient time to apply the patch, or otherwise protect themselves in line with the vendor's advice before the details are made available to the general public. After three months, the technical details are then disclosed, in order to allow security auditors and network administrators to fully understand the impact of the issues concerned, to prove that patches have been applied correctly, and to implement more specific workarounds. NGSS were due to publish the full technical details of the vulnerabilities concerned on the 21st of March 2005. On the morning of the 21st of March, NGSS received a letter from the Sybase legal team requesting that NGSS withhold technical details of these serious vulnerabilities indefinitely. Consequently, NGSS feel unable to publish the technical details of these bugs until the legal situation has been resolved. NGSS believe that it is not in the best interest of Sybase customers for Sybase to prevent publication of the technical details of these bugs.
This archive was generated by hypermail 2.1.3 : Mon Mar 21 2005 - 11:54:28 PST