[ntp:hackers] Release fixing all issues

brian utterback brian.utterback at oracle.com
Sun Jan 10 04:55:58 UTC 2016

On 1/9/2016 11:00 AM, Kurt Roeckx wrote:
> On Wed, Nov 25, 2015 at 08:29:22AM +0000, Harlan Stenn wrote:
>> Kurt Roeckx writes:
>>> On Wed, Oct 28, 2015 at 11:52:19PM +0000, Harlan Stenn wrote:
>>>> Kurt Roeckx writes:
>>>>> Hi,
>>>>> When can we expect a release fixing all the issues?  I would
>>>>> really like to see a release that fixes CVE-2015-5300,
>>>>> CVE-2015-7704 and CVE-2015-7705.
>>>>> The fix for CVE-2015-5300 is a trivial 1 line thing.
>>>> That one is interesting - we were told that it was not an issue in 4.2.8
>>>> until the day before p4 was released.  The window of vulnerability for
>>>> that one is very small, too.
>>>> The short answer is we're planning to fix this in 4.2.8p5, due out
>>>> "soon".
>>>>> The fix for CVE-2015-7704 seems to be incomplete, and I got an
>>>>> alternative patch for that.  But I've been told that I had to
>>>>> revert the patch for CVE-2015-7704+CVE-2015-7705 to get that
>>>>> working, so now I'm still affected by CVE-2015-7705.
>>>> Our patch for 7704/7705 went "too far".  Some of the patches I've seen
>>>> from others are differently broken.
>>>> We've been working on better patches and should have found a proper fix
>>>> soon, in 4.2.8p5.
>>> We're a month later now.  When can we expect the new version?
>> Within the next 2 weeks' time, I expect.
>> Additional new issues have appeared, mostly resolved now.
> So we're now 3 months after that issues is public and I still
> don't see a fix for it.
> On the other hand you seem to have a different fix for
> CVE-2015-5300 than what we applied 3 months ago, it seems to be
> the only security bug fixed, and it's not clear that their is
> something wrong with the old patch.
>> I'm the only person putting in full-time effort on NTP.  I'm still only
>> supported (paid) for about 35 hours/month.  NTP is lucky to get the US
>> equivalent of 1/4 time of help from its other volunteers (ie, I estimate
>> we get less than 10 hours/week on average).  I've been asking for more
>> resources for years, and *very* few are showing up.  Lots of folks said
>> "Put the code on github and you'll get *lots* of new help!"  We've had
>> master repos on github since around May of this year (announced in early
>> June) and no significant patches have yet been offered.
>> Many folks are good at finding bugs, or at asking "when will the next
>> release be ready?"
>> Not many are providing useful help.
>> What are you doing to help?
> Harlan,
> Please stop this.  This is not helpful for either us or you.  You
> complain about this all the time and that is counter productive.

Harlan, I am somewhat confused. The Security Notice page, all of the
CVEs that have been published except 5300 are listed as fixed in p4. But
there seems to be some indication that there are issues with some of
these fixes, since Kurt has said that some of them were changed in p5
and your previous message said that there the fix for 7704 and 7705 went
"too far". I think the Security Notice page needs to reflect problems
introduced in releases with security fixes or fixes that have been revised.
Oracle <http://www.oracle.com>
Brian Utterback | Principle Software Engineer
Phone: +1 6038973049 <tel:+1%206038973049>
Oracle Systems/RPE Solaris Network
1 Oracle Dr. | Nashua, NH 03062
All working systems eventually start to exhibit their own agenda
Green Oracle <http://www.oracle.com/commitment> Oracle is committed to
developing practices and products that help protect the environment

More information about the hackers mailing list