[ntp:security] [oCERT-2008-016 draft] OpenSSL incorrect checks for malformed signatures
stenn at ntp.org
Mon Jan 5 10:47:31 UTC 2009
I'm planning to install the "obvious" patch to both ntp-stable
(which will be released as ntp-4.2.4p6) and ntp-dev (which might be
4.2.5p152 or it could be p153). (Dave, this will include updating the
year in the copyright file.)
I believe there will be Windows installer releases of the patched NTP
code available as well.
At what time (GMT) is it OK for me to release these patches? I have to
get the code into our repositories and then notify our Windows packaging
folks so they can begin to build the windows versions.
As soon as I put these patches into our repositories they will, in
effect, "go public".
It's very late for me - I hope I covered all the points and did not miss
> On Tue, Dec 16, 2008 at 08:46:00PM +0000, Harlan Stenn wrote:
> > Andrea,
> > Thanks for the heads-up.
> > Dave, the code is in one place in ntp_crypto.c . Do you agree with the
> > patch? If so, I would prefer to make the fix myself as on January 7th I
> > would make the fix in ntp-stable and then "pull it forward" to ntp-dev,
> > but it's no big deal to me either way.
> > As I read the notice from ocert.org, the do not want fixes for this bug
> > to be published before 7 Jan.
> If you can send us the patch beforehand we would pre-notify it to affected
> vendors if you like, so that they can promptly release patched packages at
> embargo time.
> Also if you can tell me the NTP version which will fix this issue that is
> going to be released on January 7th I can reference it in the advisory
> (unless you plan to commit it only in your repository and not make a release,
> in which case I'll reference it as "fixed in CVS|SVN" or something).
> > H
> Andrea Barisani | Founder & Project Coordinator
> oCERT | Open Source Computer Emergency Response Team
> <lcars at ocert.org> http://www.ocert.org
> 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
> "Pluralitas non est ponenda sine necessitate"
More information about the security