by redmail.netbsd.org with SMTP; 18 Feb 2000 02:59:30 -0000
	id AA03461; Thu, 17 Feb 00 22:00:44 EST
	by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id VAA17977;
	Thu, 17 Feb 2000 21:59:25 -0500 (EST)
	by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id VAA01089;
	Thu, 17 Feb 2000 21:59:24 -0500 (EST)
	id VAA16646; Thu, 17 Feb 2000 21:59:24 -0500 (EST)
Message-Id: <200002180259.VAA16646@mint-square.mit.edu>
To: Daniel Carosone <security-officer@netbsd.org>
Cc: tech-security@netbsd.org
Subject: Re: NetBSD Security Advisory 2000-001 
In-Reply-To: Your message of "Wed, 16 Feb 2000 07:59:08 +1100."
             <14505.23693.773699.404104@passion.geek.com.au> 
Date: Thu, 17 Feb 2000 21:59:24 -0500
From: Alex <xela@MIT.EDU>

>                  NetBSD Security Advisory 2000-001
>                  =================================
> 
> Topic:		procfs security hole
> Version:	NetBSD 1.4.1 and prior; NetBSD-current until 20000126
> Severity:	If the proc filesystem is mounted, any user can become root

Will this vulnerability be corrected in 1.4.2 before it is released?

(As an aside, it would probably be good if the security announcement
template had a slot for explicetly stating whether the forthcoming
release will also have the vulnerability.  Yes, I know, "of course it
won't" is almost certainly always the answer.  But it should still
be stated explicetly, if only to keep paranoids like me from sending
messages like this.)

---Alex

Carl Alexander                                                    KD7GUR
------------- MIT (where Alex hangs out):
xela@mit.edu      Course VI (sometime special student)    SIPB (prospective)
                  Mitgaard ("honorary mold")    MITSFS    LSC (night worker)
                  http://web.mit.edu/~xela
------------- Work (where they call me 'Carl'):
carl@terc.edu     Sr. Systems & Network Administrator, TERC
                  http://www.terc.edu