[ntp:security] Security Vulnerability Notification in NTP daemon

Danny Mayer mayer at ntp.org
Fri Feb 20 19:43:53 UTC 2009


Fergal,

Harlan is on the US West Coast while I'm also in Massachusetts so please
take that into account for planning purposes. It might be useful to look
at your interface to see how to use it and discuss issues from there.
It's Harlan's call.

Danny

Fergal Glynn wrote:
> Harlan,
> 
> You should be receiving a separate notification that describes how to
> access the Veracode service. I would also like to draw your attention to
> a feature in the service that allows you to comment on flaws you feel
> have been erroneously flagged.  To get to this feature: go to the review
> results tab, expand the flaw details by clicking the dark blue/gray
> twisty next to a flaw ID, then expand the Show Comments and Actions
> dropdown. Finally, select "mitigated by design" from the drop down
> Action list and insert a comment. After you have entered your comment
> click Save. My security team will see your entry and this will be taken
> into account as part of the analysis.  
> 
> Would you and the NTP team like to do a readout with our security team?
> On the readout we can provide more insight into our analysis and discuss
> your comments. How does your schedule look Friday (2/27) at 11am, 12pm,
> or 3pm EST? 
> 
> Regards,
> 
> Fergal
> 
> -----Original Message-----
> From: Harlan Stenn [mailto:stenn at ntp.org] 
> Sent: Wednesday, February 18, 2009 6:58 PM
> To: Fergal Glynn
> Cc: security at ntp.org
> Subject: Re: [ntp:security] Security Vulnerability Notification in NTP
> daemon 
> 
> Hi Fergal,
> 
>> Thanks for your response. The analysis is available in a secure
> location
>> on Veracode's hosted platform. If each of you fill out the following
>> details I can get both of you access:
> 
> First Name: Harlan
> Last Name: Stenn
> Phone: 650 423 1359
> Email: stenn at ntp.org
> Address: NTP Project
> 	 c/o Internet Systems Consortium, Inc.
> 	 950 Charter St
> 	 Redwood City CA 94063
> 
>> After we provision you I can also set up a call with my security lead
>> who will review and discuss the results of Veracode's analysis with
> you.
>> A Platform account also gives you access to Veracode's mitigation
> tools
>> and any other analysis we perform on subsequent NTP builds. During the
>> call I would also like to discuss scanning a pre-release of 4.2.6.
> 
> I'd like that very much.
> 
>> There is no charge for this. This service is being made available to
> the
>> open source projects our customers have asked us to scan.
> 
> Thanks very much - if you are interested we'll be happy to acknowledge
> your efforts on our website.
> 
> H

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the security mailing list