On Wed, May 12, 2004 at 11:07:40AM +0200, Martin Weber wrote:
> Yo NetBSD Security team,
> 
> I was very surprised to learn about ``NetBSD Systrace Privilege Escalation'' [1,2]
> on Daemon news[3], and not on the announce/tech-sec mailing lists. As I take it the
> dates of discussion of the vulnerability falls nicely along with our ftp server
> problems; yet may something like that:
> 
> `` Disclosure Timeline
> (...)
> 9. April 2004   Bug is fixed in NetBSD CVS tree.
> 11. April 2004  NetBSD informed me that they hope to release within the week.
> (...)
> 3. May 2004     After contacting NetBSD again they tell me that they 
>                 "lost track" and hope to release within the week (again)
> 11. May 2004    Since the fix over a month has passed. Still no vendor advisory. 
>                 Public Disclosure. '' ([2])

I think there's some misunderstanding here.  We don't usually do security
advisories for code that's not released; we fix the bug, and note the fix
appropriately in the CVS revision log; if you're using -current, you're
really supposed to keep an eye on source-changes, and so you'd see the
message there.

We may have offered to do a special security advisory for this issue at the
request of the person who brought it to our attention; security-officer
would have to comment on that.  In that case, I'd assume that at least part
of the procedural difficulty was because that's not something we usually do.

Feel free to forward this message to Daemon-News if you like.

Thor