Subject: Wondering about systrace
To: None <tech-security@NetBSD.org>
From: Martin Weber <Ephaeton@gmx.net>
List: tech-security
Date: 05/12/2004 11:07:40
Yo NetBSD Security team,
I was very surprised to learn about ``NetBSD Systrace Privilege Escalation'' [1,2]
on Daemon news[3], and not on the announce/tech-sec mailing lists. As I take it the
dates of discussion of the vulnerability falls nicely along with our ftp server
problems; yet may something like that:
`` Disclosure Timeline
(...)
9. April 2004 Bug is fixed in NetBSD CVS tree.
11. April 2004 NetBSD informed me that they hope to release within the week.
(...)
3. May 2004 After contacting NetBSD again they tell me that they
"lost track" and hope to release within the week (again)
11. May 2004 Since the fix over a month has passed. Still no vendor advisory.
Public Disclosure. '' ([2])
ever happen ? This gives me a bad feeling, and I assume I'm not the only one
to feel like that about that showing up at the 'wrong place'.
And now ? Still nothing from the NetBSD team ?
Regards,
-Martin
[1]: http://secunia.com/advisories/11585/
[2]: http://security.e-matters.de/advisories/042004.html
[3]: http://bsdnews.com/view_story.php3?story_id=4548