[j-nsp] JUNOS vulnerability with malformed TCP packets

Brad Fleming bdfleming at kanren.net
Thu Jan 7 13:18:03 EST 2010

I think it depends how the vulnerability is discovered. If its  
discovered by groups that are likely to exploit the issue, I'd prefer  
Juniper tell me NOW. If it is discovered internally by Juniper  
technicians (or in a trusted customer lab), I'm OK with Juniper fixing  
the issue and releasing details 6 months later.

I suppose severity of the exploit is another sliding metric for  
whether I want to know immediately or not.


On Jan 7, 2010, at 11:44 AM, Darrell Root wrote:

>> Anyone know why some issues identified as early as January 2009 are  
>> only
>> being "released" now almost a year later?  Just curious on some of  
>> these
>> security alerts and timeframe...
> If Juniper finds a security DDOS vulnerability, and it's not general  
> knowledge,
> I'd prefer them to integrate the fix into their code without an  
> announcement.  That way,
> by the time the hackers find out about the vulnerability, the fix  
> may have already been
> deployed to many of our affected routers.
> In this case that saved me a crash upgrade project.  By the time it  
> was announced
> I already had the fixed code on my JunOS boxes.
> Darrell

More information about the juniper-nsp mailing list