Stricly speaking, systrace was not part of any official release
yet. AFAIK we don't normally do S-As for problems in -current.
The fix is pulled up to 2.0 branch already.

Jaromir

Martin Weber wrote:
> Yo NetBSD Security team,
> 
> I was very surprised to learn about ``NetBSD Systrace Privilege Escalation'' [1,2]
> on Daemon news[3], and not on the announce/tech-sec mailing lists. As I take it the
> dates of discussion of the vulnerability falls nicely along with our ftp server
> problems; yet may something like that:
> 
> `` Disclosure Timeline
> (...)
> 9. April 2004   Bug is fixed in NetBSD CVS tree.
> 11. April 2004  NetBSD informed me that they hope to release within the week.
> (...)
> 3. May 2004     After contacting NetBSD again they tell me that they 
>                 "lost track" and hope to release within the week (again)
> 11. May 2004    Since the fix over a month has passed. Still no vendor advisory. 
>                 Public Disclosure. '' ([2])
> 
> ever happen ? This gives me a bad feeling, and I assume I'm not the only one
> to feel like that about that showing up at the 'wrong place'.
> 
> And now ? Still nothing from the NetBSD team ?
> 
> Regards,
> 
> -Martin
> 
> [1]: http://secunia.com/advisories/11585/
> [2]: http://security.e-matters.de/advisories/042004.html
> [3]: http://bsdnews.com/view_story.php3?story_id=4548
> 

-- 
Jaromir Dolecek <jdolecek@NetBSD.org>            http://www.NetBSD.cz/
-=- We should be mindful of the potential goal, but as the Buddhist -=-
-=- masters say, ``You may notice during meditation that you        -=-
-=- sometimes levitate or glow.   Do not let this distract you.''   -=-