Subject: Re: Security advisories
To: Dave Tyson <>
From: Ed Ravin <>
List: tech-security
Date: 03/28/2006 16:59:28
On Mon, Mar 27, 2006 at 10:05:46AM +0100, Dave Tyson wrote:
> [minor ranting]
> Notwithstanding the discussion on this list a few days ago about the latest 
> sendmail security alert, I am concerned that the project seems to be failing 
> to get this information out to users in a timely manner. 
> I actually got the FreeBSD security advisory mailed almost a week ago and a 
> quick look convinced me this would apply to NetBSD as well. I expected to get 
> a similar NetBSD missive in the post within a day or two and so far nothing 
> has appeared.
> We've fixed up our vulnerable systems, but I wonder how many 'new starters'
> are even aware of the issue. I am sure the project used to be a LOT more 
> responsive in the past to dealing with security issues.

I've been disappointed in the past when security vulnerabilities that
seemed to me to be major problems went without advisories, and were
fixed only in current and not the releases.

I suspect there's a shortage of volunteer time in the security officer
slot.  I agree that it makes NetBSD look bad compared to everyone else.

BTW, it looks like the sendmail fixes were posted to CVS on March 24,
for both current and releases.