Subject: Re: Wondering about systrace
To: Martin Weber <Ephaeton@gmx.net>
From: Jaromir Dolecek <jdolecek@NetBSD.org>
Date: 05/12/2004 13:45:10
Stricly speaking, systrace was not part of any official release
yet. AFAIK we don't normally do S-As for problems in -current.
The fix is pulled up to 2.0 branch already.
Martin Weber wrote:
> Yo NetBSD Security team,
> I was very surprised to learn about ``NetBSD Systrace Privilege Escalation'' [1,2]
> on Daemon news, and not on the announce/tech-sec mailing lists. As I take it the
> dates of discussion of the vulnerability falls nicely along with our ftp server
> problems; yet may something like that:
> `` Disclosure Timeline
> 9. April 2004 Bug is fixed in NetBSD CVS tree.
> 11. April 2004 NetBSD informed me that they hope to release within the week.
> 3. May 2004 After contacting NetBSD again they tell me that they
> "lost track" and hope to release within the week (again)
> 11. May 2004 Since the fix over a month has passed. Still no vendor advisory.
> Public Disclosure. '' ()
> ever happen ? This gives me a bad feeling, and I assume I'm not the only one
> to feel like that about that showing up at the 'wrong place'.
> And now ? Still nothing from the NetBSD team ?
> : http://secunia.com/advisories/11585/
> : http://security.e-matters.de/advisories/042004.html
> : http://bsdnews.com/view_story.php3?story_id=4548
Jaromir Dolecek <jdolecek@NetBSD.org> http://www.NetBSD.cz/
-=- We should be mindful of the potential goal, but as the Buddhist -=-
-=- masters say, ``You may notice during meditation that you -=-
-=- sometimes levitate or glow. Do not let this distract you.'' -=-