Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Napster, Inc. response to Colten Edwards
From: Elias Levy (aleph1SECURITYFOCUS.COM)
Date: Thu Mar 30 2000 - 13:51:49 CST

----- Forwarded message from Jordan Ritter <jpr5napster.com> -----

Date: Wed, 29 Mar 2000 13:50:05 -0800
From: Jordan Ritter <jpr5napster.com>
To: aleph1securityfocus.com
Subject: Napster, Inc. response to Colten Edwards
Message-ID: <20000329135005.A17554napster.com>

Aleph --

      I'm waiting for listserv to come through on my napster.com
      subscription to bugtraq, but it's lagging. Please push this
      through. Thanks.



BugTraq readership:

    This email is in response to the recent post by Colten Edwards
    regarding a potential buffer overflow in the Napster client

    The Napster Win32 client software does contain an overflow in its
    messaging functionality, which includes public (chat) and private
    (IM) messaging. The overflow only affects users of the Win32
    Napster client, and could only be exploited through the use of a
    rogue Napster client in conjunction with a Napster server.

    Napster, Inc. reports NO indication that this vulnerability is
    being exploited, and further would like to assure the general
    public that the vulnerability is NOT an issue any longer.

    Approximately one hour after receiving the post from BugTraq,
    Napster's servers were patched to prevent this from occurring.
    Users of the Napster Win32 client software are NOT vulnerable.

    We would like to point out the unfortunate fact that we first
    learned of this issue through BugTraq. The discovery of the
    problem was apparently relayed briefly to the #napster channel on
    EFnet IRC by Colten Edwards, before being posted to this list
    approximately one hour later. Napster, Inc. was never notified of
    this issue via phone, email, or across any other effective channel
    of communication.

    This situation is particularly disturbing to us, as Mr. Edwards'
    malicious intent becomes painfully obvious from the tone and
    candor of his post. To the best of our knowledge, the general
    policy on BugTraq is that vendors should be notified of issues and
    given a reasonable amount of time to address the problem, so as to
    avoid unnecessary risk to the vendor's customers. A meaningful
    notification from Mr. Edwards and a small amount of patience would
    have resulted in a fix before the potential vulnerability put our
    users at risk. Of course, understanding the time frame involved
    and the intent of the post, we can only voice our dismay and
    disapproval of Mr. Edwards' actions.

    Thank you, and good day.

Jordan Ritter
Security Director
Napster, Inc.

Napster -- Music at Internet Speed

----- End forwarded message -----

Elias Levy