[ntp:security] Re: Concerning a possible bug in the 'ntp' package

Brad Knowles knowles at ntp.isc.org
Tue Aug 30 08:28:20 UTC 2005

At Mon, 29 Aug 2005 15:07:27 -0700 (PDT), Ben Schwarz 
<bschwarz at EECS.berkeley.EDU> wrote:

>  URL with program traces for this package:
>  https://taverner.cs.berkeley.edu/traces/tmpfile/ntp-4.1.2-0.rc1.2/HTMLtrace/

	Note that ntpd-4.2.0 was released almost two years ago, and that 
many, many changes and improvements have been made since. 
Unfortunately, the Red Hat people have been particularly bad about 
shipping ancient code with their system, and we've been trying to get 
them to at least provide more up-to-date RPMs that can be applied by 
their customers once they've installed the OS.

	We are very close to being ready to release version 4.2.1, but in 
the meanwhile when doing testing of this sort, I would encourage you 
to at least use the latest -RELEASE version of a package, if not the 
latest -STABLE version.

	Ideally, you would also check the latest development snapshot and 
the bug tracking database for the project, before reporting the 
vulnerability as being proven to exist.

	Without knowing whether or not we've tried to address this 
problem, I would invite you to visit bugzilla.ntp.isc.org and take a 
look for yourself.  If not, you're welcome to open a bug report 
yourself, and this way we will be able to properly track it an ensure 
that this issue is resolved before we release version 4.2.1.

Brad Knowles <knowles at ntp.isc.org> Postmaster, Listmaster, & PGP Keymaster

More information about the security mailing list