[ntp:hackers] Workflow and issues surrounding security issues with NTP

Harlan Stenn stenn at ntp.isc.org
Fri Aug 25 21:56:24 UTC 2006


> > Feedback on http://ntp.isc.org/Dev/HandlingSecurityIssues would be
> > greatly appreciated. 
> 
> I assume the big picture is to minimize publicity for an exploit until it 
> gets fixed.

Yes.

> How many vendors have a copy of the sources that they modify and/or 
> distribute?  Is there any way to contact them?  If not, it might be a good 
> idea to collect a list of people to contact.

At the moment, whoever is working on the bug works with whoever reported
the bug and when a fix is ready we publish it.

For better or worse, to my knowledge we have had >1< CERT report
involving a string overflow with ntpq (or was it ntpdc), and no exploit
was ever demonstrated.

We have been cleaning up some similar overflow/overrun issues as they
are discovered.

We have been fortunate enough to not have to deal with any significant
security issues, but I want to be prepared in case one shows up.

I am working on exploring the creation of an "NTP Forum", where
membership in the group would allow for:

- setting product direction and feature priorities
- early security vulnerability notices and patch releases
- 3rd line support for integration and complicated customer issues
- Possibly limiting non-release-candidate development releases to this
  group
- priority bug fixes
- direct access to developers on a priority basis to discuss strategy
  and assist in deployment planning
- direct input to further release planning

Please note this is a preliminary list, and >IF< this group is created
the above list is merely the starting point.

I also expect there will be different "membership levels" for the group,
and for certain "higher" membership/benefit levels it will cost money
for commercial (not freeware) organizations to join.  There will also be
a very useful number of membership levels that will not cost money.

If you reply to this message with information about the Subject: thread,
great.  If you reply to this message with information about the NTP
Forum thread, please change the Subject: accordingly.

H


More information about the hackers mailing list