[ntp:hackers] Release fixing all issues

Harlan Stenn stenn at ntp.org
Wed Nov 25 08:29:22 UTC 2015


Kurt Roeckx writes:
> On Wed, Oct 28, 2015 at 11:52:19PM +0000, Harlan Stenn wrote:
> > Kurt Roeckx writes:
> > > Hi,
> > > 
> > > When can we expect a release fixing all the issues?  I would
> > > really like to see a release that fixes CVE-2015-5300,
> > > CVE-2015-7704 and CVE-2015-7705.
> > > 
> > > The fix for CVE-2015-5300 is a trivial 1 line thing.
> > 
> > That one is interesting - we were told that it was not an issue in 4.2.8
> > until the day before p4 was released.  The window of vulnerability for
> > that one is very small, too.
> > 
> > The short answer is we're planning to fix this in 4.2.8p5, due out
> > "soon".
> > 
> > > The fix for CVE-2015-7704 seems to be incomplete, and I got an
> > > alternative patch for that.  But I've been told that I had to
> > > revert the patch for CVE-2015-7704+CVE-2015-7705 to get that
> > > working, so now I'm still affected by CVE-2015-7705.
> > 
> > Our patch for 7704/7705 went "too far".  Some of the patches I've seen
> > from others are differently broken.
> > 
> > We've been working on better patches and should have found a proper fix
> > soon, in 4.2.8p5.
> 
> We're a month later now.  When can we expect the new version?

Within the next 2 weeks' time, I expect.

Additional new issues have appeared, mostly resolved now.

It's a holiday week here in the USA.

I'm the only person putting in full-time effort on NTP.  I'm still only
supported (paid) for about 35 hours/month.  NTP is lucky to get the US
equivalent of 1/4 time of help from its other volunteers (ie, I estimate
we get less than 10 hours/week on average).  I've been asking for more
resources for years, and *very* few are showing up.  Lots of folks said
"Put the code on github and you'll get *lots* of new help!"  We've had
master repos on github since around May of this year (announced in early
June) and no significant patches have yet been offered.

Many folks are good at finding bugs, or at asking "when will the next
release be ready?"

Not many are providing useful help.

What are you doing to help?
-- 
Harlan Stenn <stenn at ntp.org>
http://networktimefoundation.org - be a member!






More information about the hackers mailing list