[ntp:security] [oCERT-2008-016 draft] OpenSSL incorrect checks for malformed signatures

Harlan Stenn stenn at ntp.org
Mon Jan 5 10:47:31 UTC 2009

Hi Andrea,

I'm planning to install the "obvious" patch to both ntp-stable
(which will be released as ntp-4.2.4p6) and ntp-dev (which might be
4.2.5p152 or it could be p153).  (Dave, this will include updating the
year in the copyright file.)

I believe there will be Windows installer releases of the patched NTP
code available as well.

At what time (GMT) is it OK for me to release these patches?  I have to
get the code into our repositories and then notify our Windows packaging
folks so they can begin to build the windows versions.

As soon as I put these patches into our repositories they will, in
effect, "go public".

It's very late for me - I hope I covered all the points and did not miss

> On Tue, Dec 16, 2008 at 08:46:00PM +0000, Harlan Stenn wrote:
> > Andrea,
> > 
> > Thanks for the heads-up.
> > 
> > Dave, the code is in one place in ntp_crypto.c .  Do you agree with the
> > patch?  If so, I would prefer to make the fix myself as on January 7th I
> > would make the fix in ntp-stable and then "pull it forward" to ntp-dev,
> > but it's no big deal to me either way.
> > 
> > As I read the notice from ocert.org, the do not want fixes for this bug
> > to be published before 7 Jan.
> >
> Heya,
> If you can send us the patch beforehand we would pre-notify it to affected
> vendors if you like, so that they can promptly release patched packages at
> embargo time.
> Also if you can tell me the NTP version which will fix this issue that is
> going to be released on January 7th I can reference it in the advisory
> (unless you plan to commit it only in your repository and not make a release,
> in which case I'll reference it as "fixed in CVS|SVN" or something).
> Thanks!
> > H
> > 
> > 
> > 
> -- 
> Andrea Barisani |                Founder & Project Coordinator
>           oCERT | Open Source Computer Emergency Response Team
> <lcars at ocert.org>                         http://www.ocert.org
>  0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
>         "Pluralitas non est ponenda sine necessitate"

More information about the security mailing list