[j-nsp] JUNOS vulnerability with malformed TCP packets
Brad Fleming
bdfleming at kanren.net
Thu Jan 7 13:18:03 EST 2010
I think it depends how the vulnerability is discovered. If its
discovered by groups that are likely to exploit the issue, I'd prefer
Juniper tell me NOW. If it is discovered internally by Juniper
technicians (or in a trusted customer lab), I'm OK with Juniper fixing
the issue and releasing details 6 months later.
I suppose severity of the exploit is another sliding metric for
whether I want to know immediately or not.
-brad
On Jan 7, 2010, at 11:44 AM, Darrell Root wrote:
>
>> Anyone know why some issues identified as early as January 2009 are
>> only
>> being "released" now almost a year later? Just curious on some of
>> these
>> security alerts and timeframe...
>
> If Juniper finds a security DDOS vulnerability, and it's not general
> knowledge,
> I'd prefer them to integrate the fix into their code without an
> announcement. That way,
> by the time the hackers find out about the vulnerability, the fix
> may have already been
> deployed to many of our affected routers.
>
> In this case that saved me a crash upgrade project. By the time it
> was announced
> I already had the fixed code on my JunOS boxes.
>
> Darrell
More information about the juniper-nsp
mailing list