[Zope] HTTP Request Denial of Service Vulnerability

Ryan_Permeh at McAfee.com Ryan_Permeh at McAfee.com
Fri Jul 24 12:24:07 EDT 2009


I manage product security at McAfee, of which Foundstone is a part.  I am not aware of releasing such an advisory, and am looking into this.  Could we get details regarding where this was found?  Was this posted to a web site?  A security mailing list?  And when was it posted?  This may have a very different meaning if it was published in 2001 or something like that.  Alternately, Foundstone produces a vulnerability management software, was this in a report generated by that product?  

As far as I know, we try to never make general sweeping statements about products such as those quoted by the poster.  Our statements are typically regarding a single vulnerability, and extrapolating to the entire product is not in our nature or in our customer's best interests.  We want issues fixed, not to argue about which specific platforms are better than other.  Additionally, we try to never release any vague reports such as the one I'd seen.  They are typically combined with additional details that would allow one to determine their own risk, and we usually include a CVE number or another common vulnerability identifier.  Finally, we follow responsible disclosure, and wouldn't issue an advisory without notifying the vendor prior.

I have the appropriate teams trying to track down from an internal standpoint, but any help from the community, especially the original poster, would be appreciated.  If our statement or product wording is incorrect, we will certainly rectify this.

Ryan Permeh
Manager of Product Security
McAfee Security Architecture Group
email: ryan_permeh at mcafee.com



More information about the Zope mailing list