[ntp:security] Re: Concerning a possible bug in the 'ntp' package

David Wagner daw at cs.berkeley.edu
Tue Aug 30 10:31:48 UTC 2005

Thanks for your email.

> 	Note that ntpd-4.2.0 was released almost two years ago, and that 
> many, many changes and improvements have been made since. 
> Unfortunately, the Red Hat people have been particularly bad about 
> shipping ancient code with their system, and we've been trying to get 
> them to at least provide more up-to-date RPMs that can be applied by 
> their customers once they've installed the OS.

Ahh.  Sorry about that.  We just ran our tool on whatever apps were
shipped as part of Red Hat 9.  It was hard enough getting the tool to
run on all Red Hat 9 apps as it was; having to manually go grab the
latest version by FTP for each of the approximately 800 packages would
have been too much for our limited resources.

> 	We are very close to being ready to release version 4.2.1, but in 
> the meanwhile when doing testing of this sort, I would encourage you 
> to at least use the latest -RELEASE version of a package, if not the 
> latest -STABLE version.
> 	Ideally, you would also check the latest development snapshot and 
> the bug tracking database for the project, before reporting the 
> vulnerability as being proven to exist.

Sorry for the confusion.  We didn't intend to suggest that this
vulnerability has been proven to exist.  (We did write "possible bug"
and "suspect there may be a race condition", but I apologize if it
was unclear.)  We just wanted to tip you off to a potential problem,
on the assumption that you might be interested.

> 	Without knowing whether or not we've tried to address this 
> problem, I would invite you to visit bugzilla.ntp.isc.org and take a 
> look for yourself.  If not, you're welcome to open a bug report 
> yourself, and this way we will be able to properly track it an ensure 
> that this issue is resolved before we release version 4.2.1.

I appreciate the invitation.  Unfortunately, it is unlikely that I will
have the time to do this; when informing maintainers about the 100
potential security bugs spotted by the tool, there's a limit to how
many hoops we can reasonably go through just to report the potential
security bug.  Feel free to do what you like with this bug report.
We reported it primarily as a courtesy to you and others.

Thanks for being understanding about our limited resources.

-- David

More information about the security mailing list