[j-nsp] JUNOS vulnerability with malformed TCP packets

[Tommy Perniciaro]

How can that be the case when 10.x was released after 1/09 and it's on  
the list of affected junos versions?

Sent from my iPhone

On Jan 7, 2010, at 11:24 AM, "harbor235" <harbor235 at gmail.com> wrote:

> Any code released after 1/28/09 has this issue fixed ...
>
> mike
>
> On Thu, Jan 7, 2010 at 1:18 PM, Brad Fleming <bdfleming at kanren.net>  
> wrote:
>
>> I think it depends how the vulnerability is discovered. If its  
>> discovered
>> by groups that are likely to exploit the issue, I'd prefer Juniper  
>> tell me
>> NOW. If it is discovered internally by Juniper technicians (or in a  
>> trusted
>> customer lab), I'm OK with Juniper fixing the issue and releasing  
>> details 6
>> months later.
>>
>> I suppose severity of the exploit is another sliding metric for  
>> whether I
>> want to know immediately or not.
>>
>> -brad
>>
>>
>> On Jan 7, 2010, at 11:44 AM, Darrell Root wrote:
>>
>>
>>> Anyone know why some issues identified as early as January 2009  
>>> are only
>>>> being "released" now almost a year later?  Just curious on some  
>>>> of these
>>>> security alerts and timeframe...
>>>>
>>>
>>> If Juniper finds a security DDOS vulnerability, and it's not general
>>> knowledge,
>>> I'd prefer them to integrate the fix into their code without an
>>> announcement.  That way,
>>> by the time the hackers find out about the vulnerability, the fix  
>>> may have
>>> already been
>>> deployed to many of our affected routers.
>>>
>>> In this case that saved me a crash upgrade project.  By the time  
>>> it was
>>> announced
>>> I already had the fixed code on my JunOS boxes.
>>>
>>> Darrell
>>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp