[Nick <nmanisca@vt.edu>]
> On Sun, Feb 11, 2001 at 02:22:35PM +1100, NetBSD Security Officer wrote:
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > 
> >                  NetBSD Security Advisory 2001-001
> >                  =================================
> > 
> > Topic:          Multiple BIND vulnerabilities
> > Version:        All release versions of NetBSD, and NetBSD-current
> > Severity:       Remote root execution of commands is possible
> > Fixed:          NetBSD-current:    January 27, 2001
> >                 NetBSD 1.5 branch: January 28, 2001
> >                 NetBSD 1.4 branch: January 28, 2001
> 
> I hope that this one doesn't come off as bashing or ranting...
> 
> Maybe I am not reading the right mailing lists, but doesn't it seem
> like the NetBSD user community should hear about this sort of thing
> sooner?  I've been seeing noise on Bugtraq about it for a while now
> but I never saw a NetBSD Sec. Advisory until today.  It makes me
> sort of uneasy to know these vulnerabilities were common knowledge
> for so long without an advisory.
> 
> Is it a bad idea to rely on the NetBSD Security Advisories to keep
> up-to-date on vulnerabilites in NetBSD?

CERT issued a warning in cooridination with ISC.  Anyone who is concerned
about security should *not* be relying on the vendor to give them timely
notice.  If you are concerned with getting "zero-day" security info,
subscribe to bugtraq, CERT mailing lists, and security mailing lists for
the vendors of individual packages.

-- 
Ari							there is no spoon
-------------------------------------------------------------------------
http://www.nebcorp.com/~regs/pgp for PGP public key