[ntp:security] [Bug 2671] vallen is not validated, leading to potential info leak

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Fri Jan 9 11:21:49 UTC 2015


--- Comment #6 from Martin Burnicki <burnicki at ntp.org> 2015-01-09 11:21:49 UTC ---
I'm one of the folks who ran a quick test on this. ;-)

I've set up a server and a client, both running 4.2.8p1-beta5, configured
autokey, and verified that the client synchronizes to the server.

Then I replaced first the client only, then the server only, and finally both
binaries with the v4.2.8p1-bug2671-RC1 from Harlan's private directory, and I
can confirm that each combination still works, at least with the IFF keys.
Haven't looked at the patches, yet, so I can't tell if the key type matters.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list