OpenBSD does not have this problem. None of the versions of rdist
distributed are setuid or setgid.
But the more important issue is that after repeated requests to CERT
to give us advance warning on these issues, and include us in their
advisories, they have simply ignored the mail we've sent.
What's up, CERT? Why don't you respond to mail from the OpenBSD
project?
Here's some mail I sent CERT before, but got no response to:
----------------------------------------
To: cert@cert.org
cc: deraadt
Subject: lpd advisory
Message-Id: <199707252312.RAA19967@cvs.openbsd.org>
Date: Fri, 25 Jul 1997 17:12:58 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
I have heard there is an [deleted] advisory in the works.
Yet, OpenBSD did not receive any notification of this advisory through
proper channels, but FreeBSD certainly did.
OpenBSD is an OS vendor too. Why didn't we get advance notice?
Obviously if one BSD has the problem, other BSD's are going to
have it too. What's the deal?
Why are we not being notified of problems before the release of a
CERT advisory?
I have asked this question twice before.
What other advisories are in the works that OpenBSD is not being
informed of?