As stated in the original Valicert advisory released 04Dec2001 (http://www.nmrc.org/advise/valicert1.txt), Valicert's response to us with a proprietary and confidential version of their advisory was not quoted from. However, a slightly edited version of this document appeared on their web site yesterday (ignore the November 28 date, that was the day we saw a version of it): http://www.valicert.com/support/security_advisory_eva.html We updated our advisory online with a note regarding this. Valicert's advisory includes details on version information and how to obtain fixes. Odd how *we* are the ones making this known. Ah well.
