[ntp:security] Security Vulnerability Notification in NTP daemon

Danny Mayer mayer at ntp.org
Wed Feb 18 19:08:44 UTC 2009


Harlan Stenn wrote:
> Hi Fergal,
> 
>> Veracode was engaged to evaluate NTP 3.5.93e for application security
>> vulnerabilities, and, as part of our responsible disclosure policy, we
>> wish to notify you to disclose the details of the vulnerabilities that
>> were found during that evaluation.
> 
> While 3.5.93e is delightfully old and obsolete, I'd be happy to see the
> list to be sure that any of those vulnerabilities that remain in the
> current codebase are fixed.
> 

As Harlan notes, 3.5.93e is so old that we don't recommend anyone use it
for any purpose. The current stable release is 4.2.4p6 and 4.2.6 will be
out within the next month or two and you should concentrate on those
releases.

>> Can you please provide the contact for your project to ensure that we
>> can securely provide the technical details of the flaws that we found?

Harlan is the main contact for this, but I usually act as a backup if
necessary. My public key is below.

Danny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgpkeys.asc
Type: application/pgp-keys
Size: 1721 bytes
Desc: not available
Url : https://lists.ntp.org/mailman/private/security/attachments/20090218/120f6379/attachment.bin 


More information about the security mailing list