[ntp:hackers] Release fixing all issues

Kurt Roeckx kurt at roeckx.be
Sat Jan 9 16:00:09 UTC 2016


On Wed, Nov 25, 2015 at 08:29:22AM +0000, Harlan Stenn wrote:
> Kurt Roeckx writes:
> > On Wed, Oct 28, 2015 at 11:52:19PM +0000, Harlan Stenn wrote:
> > > Kurt Roeckx writes:
> > > > Hi,
> > > > 
> > > > When can we expect a release fixing all the issues?  I would
> > > > really like to see a release that fixes CVE-2015-5300,
> > > > CVE-2015-7704 and CVE-2015-7705.
> > > > 
> > > > The fix for CVE-2015-5300 is a trivial 1 line thing.
> > > 
> > > That one is interesting - we were told that it was not an issue in 4.2.8
> > > until the day before p4 was released.  The window of vulnerability for
> > > that one is very small, too.
> > > 
> > > The short answer is we're planning to fix this in 4.2.8p5, due out
> > > "soon".
> > > 
> > > > The fix for CVE-2015-7704 seems to be incomplete, and I got an
> > > > alternative patch for that.  But I've been told that I had to
> > > > revert the patch for CVE-2015-7704+CVE-2015-7705 to get that
> > > > working, so now I'm still affected by CVE-2015-7705.
> > > 
> > > Our patch for 7704/7705 went "too far".  Some of the patches I've seen
> > > from others are differently broken.
> > > 
> > > We've been working on better patches and should have found a proper fix
> > > soon, in 4.2.8p5.
> > 
> > We're a month later now.  When can we expect the new version?
> 
> Within the next 2 weeks' time, I expect.
> 
> Additional new issues have appeared, mostly resolved now.

So we're now 3 months after that issues is public and I still
don't see a fix for it.

On the other hand you seem to have a different fix for
CVE-2015-5300 than what we applied 3 months ago, it seems to be
the only security bug fixed, and it's not clear that their is
something wrong with the old patch.

> I'm the only person putting in full-time effort on NTP.  I'm still only
> supported (paid) for about 35 hours/month.  NTP is lucky to get the US
> equivalent of 1/4 time of help from its other volunteers (ie, I estimate
> we get less than 10 hours/week on average).  I've been asking for more
> resources for years, and *very* few are showing up.  Lots of folks said
> "Put the code on github and you'll get *lots* of new help!"  We've had
> master repos on github since around May of this year (announced in early
> June) and no significant patches have yet been offered.
> 
> Many folks are good at finding bugs, or at asking "when will the next
> release be ready?"
> 
> Not many are providing useful help.
> 
> What are you doing to help?

Harlan,

Please stop this.  This is not helpful for either us or you.  You
complain about this all the time and that is counter productive.


Kurt



More information about the hackers mailing list