Sorry for the late response, only so many hours in the day. On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote: > It appears that Netflix's advisory (as of this writing) does not > include a timeline of events. Would FreeBSD be able to provide its > event timeline with regards to CVE-2019-5599?
I don't generally document a timeline of events from our side. This particular disclosure was a bit unusual as it wasn't external but instead was an internal FreeBSD developer the security team often works with. As such, our process was a bit out of sync with normal (as much as we have a normal with our current processes). All of that said, we got notice in early June, about 10 days before public disclosure. > Were any FreeBSD derivatives given advanced notice? If so, which ones? They were not. I would like to get to a point where we feel we could give some sort of heads up for downstream, but we aren't there yet. Best, Gordon
signature.asc
Description: PGP signature
