Re: CERT Advisory CA-97.23 - rdist

[deraadt () CVS OPENBSD ORG (Theo de Raadt)]

> CERT* Advisory CA-97.23
> Original issue date: September 16, 1997
> Last revised: --
>
> Topic: Buffer Overflow Problem in rdist

OpenBSD does not have this problem.  None of the versions of rdist
distributed are setuid or setgid.

But the more important issue is that after repeated requests to CERT
to give us advance warning on these issues, and include us in their
advisories, they have simply ignored the mail we've sent.

What's up, CERT?  Why don't you respond to mail from the OpenBSD
project?

Here's some mail I sent CERT before, but got no response to:

----------------------------------------
To: cert () cert org
cc: deraadt
Subject: lpd advisory
Message-Id: <199707252312.RAA19967 () cvs openbsd org>
Date: Fri, 25 Jul 1997 17:12:58 -0600
From: Theo de Raadt <deraadt () cvs openbsd org>

I have heard there is an [deleted] advisory in the works.

Yet, OpenBSD did not receive any notification of this advisory through
proper channels, but FreeBSD certainly did.

OpenBSD is an OS vendor too.  Why didn't we get advance notice?

Obviously if one BSD has the problem, other BSD's are going to
have it too.  What's the deal?

Why are we not being notified of problems before the release of a
CERT advisory?

I have asked this question twice before.

What other advisories are in the works that OpenBSD is not being
informed of?