[ntp:security] Security Vulnerability Notification in NTP daemon

Harlan Stenn stenn at ntp.org
Wed Feb 18 18:57:38 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Fergal,

> Veracode was engaged to evaluate NTP 3.5.93e for application security
> vulnerabilities, and, as part of our responsible disclosure policy, we
> wish to notify you to disclose the details of the vulnerabilities that
> were found during that evaluation.

While 3.5.93e is delightfully old and obsolete, I'd be happy to see the
list to be sure that any of those vulnerabilities that remain in the
current codebase are fixed.

> Can you please provide the contact for your project to ensure that we
> can securely provide the technical details of the flaws that we found?

I think my PGP key should be on several of the keyservers.  The key I
use at ntp.org should be:

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2.2 (FreeBSD)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

mQGiBEQWi7YRBADvxoYD2r3Y/EudSAhLOzS84VUCIsVPxTvUNymsU3ht5Bt2Id3s
46gCOeFRUPO1ZHwXtjOB+uDbDJd8SZIRsedJ0r5tqJWSIT9dlaZDS3mTAgdssRMf
oveQM0s4Df5bTavvdFklKoly1PvOpzULCXPCkI646w+FXjLUazT+q/vvZwCgisdU
kcyLNBkv4+vPxQvl+vOu3RkEAOOXQmU0utPfpFJ5hQyptOP/OICFrvcpl6BxAqWN
Isad+iHyyxEH9grhvLaEgj89RRpLdNiaBzAXsmFEaZj4ayTnBkc7Ms7jJ6mQXy5U
5e8iKgE/AYkQHxG+u1LFCERPXnjL912aRL0WoVHkPmHWGbdE5Gp1lMCCWHUfEOaf
TARNBADiSXPzjERTE1o3T43eZB7b7S4f09GyNafjZdANgSQu7gDEIUGGbEzhqldl
p/TXYsEz1lDkN83TV2VpBBnW41Jq1Gw2vzv/r8S4hfHT3bcq40jwsyLB5K5uNnYi
jPPFleb7V6gxuTntiQ2OmD5cTYHH/NrJqy1J+ZubYzX2dT+QX7QpSGFybGFuIFN0
ZW5uIChJU0MpIDxIYXJsYW5fU3Rlbm5AaXNjLm9yZz6IYAQTEQIAIAUCSX6ljAIb
AwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEPoD5HWaIXDsT+AAn0fQJiX9lViR
m1S6d05IWhFA4FolAJ4i8qbrKL6C58JB85LtXfKE0Mqj67QcSGFybGFuIFN0ZW5u
IDxzdGVubkBudHAub3JnPoh3BBMRAgA3AhsDBgsJCAcDAgQVAggDBBYCAwECHgEC
F4ATGGh0dHA6Ly9wZ3AubWl0LmVkdQUCSX6r6gIZAQAKCRD6A+R1miFw7P1yAJ94
5cQvGT6NGfAlNM+BH+Zu7mm2KACfeUaVWufNZrN1XonTuoffkyB9kh+0IEhhcmxh
biBTdGVubiA8c3Rlbm5AbnRwLmlzYy5vcmc+iHMEExECADQCGwMGCwkIBwMCBBUC
CAMEFgIDAQIeAQIXgAUCSX6MkBMYaHR0cDovL3BncC5taXQuZWR1AAoJEPoD5HWa
IXDsCeEAmJM20gcFNj36Pq0+FYlwRqbKxYAAnjvLN++IjJ0kIfDcq3Q/BzaLe2FU
tCJIYXJsYW4gU3Rlbm4gKElTQykgPHN0ZW5uQGlzYy5vcmc+iGAEExECACAFAkl+
pWACGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRD6A+R1miFw7Kf+AKCKKKlA
eZ/RzEueDNiLAYXgvDZFMACfdjoavCg9rPIdnSD54Bx83fzPqau5Ag0ERBaLzhAI
AP8D+BujPx1oOJ+Q4JCWPzTEgf60KQvDwzuNgZ0VGoNE+4YcIZQ593ufGEfXNWeP
oJknSmroYSUDH4XDt9FqYJcTj3bZYqa1A8tf2hJCVIUFShANLziDka4C/KUThcg7
QamjwoRXf3MMnrOns7nf7KnYYwP4vaK2kPjKKK+y5Oe0ko8nUjqC1Mu4z/2EWuKx
lrKbYLv+Id5d2PrXkEHeuFdgaPSGQ6XQ7DSGJmAMEoPfklqApww4z38xlk643eRS
Krpgoh6OJvDAKNQU/BPXMYpf/miXzA/NQyfonHWWdxFQEHF4yS+zxQyY6QYWN/t6
t2Duz/Je+KA+Syk4f8SKZZcAAwcIAOLwSfRFLr8rvYT0vMq1X703XSPiOLbqBlAR
GZqrdd7myGnWp6LjDnguvedBXvZZa9GgWNeVSGABWgmUDlKZI3k1TQDVM8P9kcG1
9hN/hmTe+/zDIgzJewmobrj5Sfs/nCzNt1RtWjv11oXmAGOBP8TMV3mcAXG8G5wc
OmioFKnGXa0E/LumqZUgtEHJe2iK4aKvIFqvAfELW831Vr9r1e+1BuMqjTbsd1Ii
U8bKpTtNl/lB37TiOgYOFsqfh1vubifRiHlLSM3ZLIM9tkj/Z8HjXb3cPjfaJtxn
pcTZpH00uaIxmOMJeGSA0kaKjjmJsTbPvE/x3dL3PrLdyeQkPWaISQQYEQIACQUC
RBaLzgIbDAAKCRD6A+R1miFw7GXPAKCKOKcA3J11wJVoyJ1CWJyxiKgtIgCfTHEw
OWWshMa33MdLcEfZmwKHeBWYjQMvPYojAAABBADIXZmOJW09uBtCky4842ew1Mzq
9D/CIoUxPGKAU8tucDkWE+dGszDhX/+xLAnDjWhA6RCdqzzAMS8etHZogB+x1f7b
oV1KW25EJrNJjA7tnWrNkA++kKVdYFiE8N1dgaY+B5kmcfL0q9hDYoDk3f5AdQqC
koc2cEEqrjpkpo/qtQAFEbQeSGFybGFuIFN0ZW5uIDxoYXJsYW5AcGZjcy5jb20+
iEUEEBECAAYFAjdxEnwACgkQpFHD2hREXkBB8wCdF4Sr+Srx5rSFqpirSA52hFWa
a3sAmOVdhoyG+OyLOVQ9JPCZL7BSNRyIRgQSEQIABgUCP8rGQAAKCRA+1XH06ASN
CMrGAJ9kmABwXNA+eo/lkedpRzZ0PiXs7ACfSPNWYfWnCM8mevDq4kyivm3YF/OJ
AJUDBRA3nfpb7ExpZ/lAq4UBAUM3A/9XeWVm5sAqnVNjeZMOVh3MIW3iGL3gx226
0X9LTcIu39X9hLtqHWDqnOAi8O5RKNDkNWXyXkabSVIp3BP6eSH8qFWjwO6naY0f
nerdTxvKUClpyf2ZAyg5xtQe+3ITZxsWkVq4wT/hSjL/Mu3wku9g5j/rwrUiqgvw
R1CBUOkTgIkAlQMFEDed/9Mqrjpkpo/qtQEBXw0D/3W4SUoFw+8I9OPtU8rL2baN
X3wBT1M0oOLWVv+/Iu/zmwXLPrSa7ATL4k2dTYynAMBYmeWItvMb7owJLYSr6x1s
25TVReEiL6FcvVrcpeJkpH+c32PQG5f0QPFB4aGEpmW/BNJI9wDxqVcSjodyB2Za
ZuYiy830ivU2Kr15XRQMmQELBEl+1lMBCACmcC+5gr/CiVjadVrsWlsPWUCydxPz
CZVnUyNPvrjawsh8VkBuj/mlknzutIRh/Vt9EyKJSFcFiESreP+RCCKqYWVjNp9O
l2nG8op6hABu2QMSYyTV9T9DYvjWVJNwVQeZxWXGvg/Eq4wNVK4+K5LDbqiUWGzt
t2WAwzQaPkBwF1tTwnz1jqJa+7WtSmRwBPpdv5nHKi0M7bd0TovuR7Gh5jvN+hPw
K8z3FXkv2XVavqYWiIWgVdlZNAFeMv6MZgllnwmknvN+FceHIcs2hI/iLws4M0tk
mZMBh4ghCy68ayL1GhJepGP7NjJdYWz9bCvQbqHx4pvJl2P6Nj/7xJyRAAYptB5I
YXJsYW4gU3Rlbm4gPGhhcmxhbkBwZmNzLmNvbT6JATYEEwECACAFAkl+1lMCGwMG
CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAIKrt7CcfevcttB/43jVzcFCJYq3NS
1huy7XomdvkyjDiD6NjP8NnEfXXxo3vwX7+XmSnXtdLFQTvs0S+/ZCki6/RauN+p
A1nEweldadhGdTkh9EXiXLwBm6XKwTJv1AgEUJp6NRNp19Uv3p8Z8G90MJGQEH8c
VDpL6SDIdSon/sqFgo880ziDx8r6gTWueKWkE4NNqifJ5XicMMB21idKgzpONDIA
j+Fr5OXEotyDnL+AfkYGVGTaV7DCK68KPuUiEzNFQSd+xTDRnUx5jZvNfGLaECDR
SuPwjazYjkbZkZH9fGeqAXp861tThaDwCww0yhvAfnX6ozUMk1aCdwQgnBMqQdl6
EgzxupI+
=aT5Q
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFJnFoa+gPkdZohcOwRAtDYAJ9gvquHAXiJ5HaMdKJkoVNvIyRvVgCcCCvU
zR3B8VjMo0ORvac9EuwQKkA=
=/Q6L
-----END PGP SIGNATURE-----


More information about the security mailing list