[ntp:hackers] Workflow and issues surrounding security issues
stenn at ntp.isc.org
Fri Aug 25 21:56:24 UTC 2006
> > Feedback on http://ntp.isc.org/Dev/HandlingSecurityIssues would be
> > greatly appreciated.
> I assume the big picture is to minimize publicity for an exploit until it
> gets fixed.
> How many vendors have a copy of the sources that they modify and/or
> distribute? Is there any way to contact them? If not, it might be a good
> idea to collect a list of people to contact.
At the moment, whoever is working on the bug works with whoever reported
the bug and when a fix is ready we publish it.
For better or worse, to my knowledge we have had >1< CERT report
involving a string overflow with ntpq (or was it ntpdc), and no exploit
was ever demonstrated.
We have been cleaning up some similar overflow/overrun issues as they
We have been fortunate enough to not have to deal with any significant
security issues, but I want to be prepared in case one shows up.
I am working on exploring the creation of an "NTP Forum", where
membership in the group would allow for:
- setting product direction and feature priorities
- early security vulnerability notices and patch releases
- 3rd line support for integration and complicated customer issues
- Possibly limiting non-release-candidate development releases to this
- priority bug fixes
- direct access to developers on a priority basis to discuss strategy
and assist in deployment planning
- direct input to further release planning
Please note this is a preliminary list, and >IF< this group is created
the above list is merely the starting point.
I also expect there will be different "membership levels" for the group,
and for certain "higher" membership/benefit levels it will cost money
for commercial (not freeware) organizations to join. There will also be
a very useful number of membership levels that will not cost money.
If you reply to this message with information about the Subject: thread,
great. If you reply to this message with information about the NTP
Forum thread, please change the Subject: accordingly.
More information about the hackers