[ntp:security] Security Vulnerability Notification in NTP daemon

Fergal Glynn FGlynn at Veracode.com
Wed Feb 18 19:39:50 UTC 2009

Hi Harlan and Danny,

Thanks for your response. The analysis is available in a secure location
on Veracode's hosted platform. If each of you fill out the following
details I can get both of you access:

First Name:
Last Name:

After we provision you I can also set up a call with my security lead
who will review and discuss the results of Veracode's analysis with you.
A Platform account also gives you access to Veracode's mitigation tools
and any other analysis we perform on subsequent NTP builds. During the
call I would also like to discuss scanning a pre-release of 4.2.6.

There is no charge for this. This service is being made available to the
open source projects our customers have asked us to scan.



-----Original Message-----
From: Danny Mayer [mailto:mayer at ntp.org] 
Sent: Wednesday, February 18, 2009 2:09 PM
To: Harlan Stenn
Cc: Fergal Glynn; security at ntp.org
Subject: Re: [ntp:security] Security Vulnerability Notification in NTP

Harlan Stenn wrote:
> Hi Fergal,
>> Veracode was engaged to evaluate NTP 3.5.93e for application security

>> vulnerabilities, and, as part of our responsible disclosure policy, 
>> we wish to notify you to disclose the details of the vulnerabilities 
>> that were found during that evaluation.
> While 3.5.93e is delightfully old and obsolete, I'd be happy to see 
> the list to be sure that any of those vulnerabilities that remain in 
> the current codebase are fixed.

As Harlan notes, 3.5.93e is so old that we don't recommend anyone use it
for any purpose. The current stable release is 4.2.4p6 and 4.2.6 will be
out within the next month or two and you should concentrate on those

>> Can you please provide the contact for your project to ensure that we

>> can securely provide the technical details of the flaws that we

Harlan is the main contact for this, but I usually act as a backup if
necessary. My public key is below.


More information about the security mailing list