bofh wrote:
1). They didn't contact openbsd about this
The Cert Advisory document (the MS Word doc file) claims that "OpenBSD" was notified on 2008-5-5 11:24:02. Obviously I have no idea if this is true. Since it seems almost everyone was caught without a patch on disclosure day, the notification list seems suspect.
The notification timeline in the document is somewhat interesting. Microsoft was notified first (okay, I understand the guy works there). A bunch of large corporations were notified on April 21, then ISC was notified on April 29. On May 5, it looks like they finally decided to notify everyone else.
I'm guessing they don't like Nixu, NetApp and Dragonfly, since they were notified on Thursday, July 3 (the day before a long weekend in the US), with public release on Tuesday July 8.
