[ntp:security] Security Vulnerability Notification in NTP daemon

Fergal Glynn FGlynn at Veracode.com
Fri Feb 20 19:57:50 UTC 2009

Thanks Danny,

I think it's a great idea to look at the interface. Mentioned below are
instructions on how to comment on flaws you feel have been erroneously
flagged. If you can do this prior to a call our research team will be
better prepared and will this lead to a more productive meeting. We will
make sure we set up a meeting that suits all time-zones.



-----Original Message-----
From: Danny Mayer [mailto:mayer at ntp.org] 
Sent: Friday, February 20, 2009 2:44 PM
To: Fergal Glynn
Cc: Harlan Stenn; security at ntp.org
Subject: Re: [ntp:security] Security Vulnerability Notification in NTP


Harlan is on the US West Coast while I'm also in Massachusetts so please
take that into account for planning purposes. It might be useful to look
at your interface to see how to use it and discuss issues from there.
It's Harlan's call.


Fergal Glynn wrote:
> Harlan,
> You should be receiving a separate notification that describes how to
> access the Veracode service. I would also like to draw your attention
> a feature in the service that allows you to comment on flaws you feel
> have been erroneously flagged.  To get to this feature: go to the
> results tab, expand the flaw details by clicking the dark blue/gray
> twisty next to a flaw ID, then expand the Show Comments and Actions
> dropdown. Finally, select "mitigated by design" from the drop down
> Action list and insert a comment. After you have entered your comment
> click Save. My security team will see your entry and this will be
> into account as part of the analysis.  
> Would you and the NTP team like to do a readout with our security
> On the readout we can provide more insight into our analysis and
> your comments. How does your schedule look Friday (2/27) at 11am,
> or 3pm EST? 
> Regards,
> Fergal
> -----Original Message-----
> From: Harlan Stenn [mailto:stenn at ntp.org] 
> Sent: Wednesday, February 18, 2009 6:58 PM
> To: Fergal Glynn
> Cc: security at ntp.org
> Subject: Re: [ntp:security] Security Vulnerability Notification in NTP
> daemon 
> Hi Fergal,
>> Thanks for your response. The analysis is available in a secure
> location
>> on Veracode's hosted platform. If each of you fill out the following
>> details I can get both of you access:
> First Name: Harlan
> Last Name: Stenn
> Phone: 650 423 1359
> Email: stenn at ntp.org
> Address: NTP Project
> 	 c/o Internet Systems Consortium, Inc.
> 	 950 Charter St
> 	 Redwood City CA 94063
>> After we provision you I can also set up a call with my security lead
>> who will review and discuss the results of Veracode's analysis with
> you.
>> A Platform account also gives you access to Veracode's mitigation
> tools
>> and any other analysis we perform on subsequent NTP builds. During
>> call I would also like to discuss scanning a pre-release of 4.2.6.
> I'd like that very much.
>> There is no charge for this. This service is being made available to
> the
>> open source projects our customers have asked us to scan.
> Thanks very much - if you are interested we'll be happy to acknowledge
> your efforts on our website.
> H

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the security mailing list