[ntp:security] Security Vulnerability Notification in NTP daemon

Fergal Glynn FGlynn at Veracode.com
Fri Feb 20 19:31:21 UTC 2009


Harlan,

You should be receiving a separate notification that describes how to
access the Veracode service. I would also like to draw your attention to
a feature in the service that allows you to comment on flaws you feel
have been erroneously flagged.  To get to this feature: go to the review
results tab, expand the flaw details by clicking the dark blue/gray
twisty next to a flaw ID, then expand the Show Comments and Actions
dropdown. Finally, select "mitigated by design" from the drop down
Action list and insert a comment. After you have entered your comment
click Save. My security team will see your entry and this will be taken
into account as part of the analysis.  

Would you and the NTP team like to do a readout with our security team?
On the readout we can provide more insight into our analysis and discuss
your comments. How does your schedule look Friday (2/27) at 11am, 12pm,
or 3pm EST? 

Regards,

Fergal

-----Original Message-----
From: Harlan Stenn [mailto:stenn at ntp.org] 
Sent: Wednesday, February 18, 2009 6:58 PM
To: Fergal Glynn
Cc: security at ntp.org
Subject: Re: [ntp:security] Security Vulnerability Notification in NTP
daemon 

Hi Fergal,

> Thanks for your response. The analysis is available in a secure
location
> on Veracode's hosted platform. If each of you fill out the following
> details I can get both of you access:

First Name: Harlan
Last Name: Stenn
Phone: 650 423 1359
Email: stenn at ntp.org
Address: NTP Project
	 c/o Internet Systems Consortium, Inc.
	 950 Charter St
	 Redwood City CA 94063

> After we provision you I can also set up a call with my security lead
> who will review and discuss the results of Veracode's analysis with
you.
> A Platform account also gives you access to Veracode's mitigation
tools
> and any other analysis we perform on subsequent NTP builds. During the
> call I would also like to discuss scanning a pre-release of 4.2.6.

I'd like that very much.

> There is no charge for this. This service is being made available to
the
> open source projects our customers have asked us to scan.

Thanks very much - if you are interested we'll be happy to acknowledge
your efforts on our website.

H


More information about the security mailing list