[ntp:security] [FICORA #829967] ntpd control message crash

NCSC-FI Vulnerability Co-ordination vulncoord at ficora.fi
Thu Jun 25 07:49:25 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Sorry for the late reply, Tapio just left for holidays and I just
returned..

On 06/24/2015 05:50 PM, Harlan Stenn wrote:
> - When we publish, what URL do we use for FICORA #829967 ?

Our advisory will most likely appear at:

https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2015/haavoittuvuus-2015-052.html

Due to the peculiarities of our publishing system, the number 052
might still change, I'll keep you updated if that happens.

> - we're ready to send an announcement out to CERT-like folks about
>  this fix, including access to the preliminary patch.  Is this 
> something FICORA can handle with us, or do we need to contact our 
> usual CERT channels?

Normally we do not engage much of our contact network related to
vulnerability pre-announcements, but we can certainly help you with
this. We have good and trusted working relationships within the EGC
(European Governmental Certs group), fellow vulnerability coordinators
(CERT/CC, JPCERT/CC) and within the Trusted Introducer network as well
as IWWN (International Watch and Warning Network). Outside of these
groups, we have bilateral relationships with a number of CERT actors
as well as vendors who use NTP within their products.

What kind of distribution are you thinking about?

> We're not seeing this issue as anything particularly dangerous, so 
> we're planning to go public with it in about 48 hours' time, when 
> we release ntp-4.2.8p3.

Sounds good.

- -Jussi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVi7JzAAoJEARH79LeFuoMgq0QALWTJ2NY1ryeZTGSLBzo88hG
v+OWZycp7EfJ7WXkzI0oz4UFjPAW9dDaW0OrepMkPfh4wJlfk3aptlRyPMKyq6rg
Z7vPqT7k14RnsfkYAqh7qoqrf9+vpbzkqUJDy/SUlobOyGnkpMYVNVO5wenMih7+
AqfPkrqh2LK3mgSC/QKD8jdvb/rbyv8nf8sHZ2Ri3E9WzleZv5dGl6eYj/jLgGO5
we/5lAudHP5aBGOPdHIxfcJ0B3QrX6W21k8WPC0CZ+ampfHBAoI9+4wZqDjJ9t95
+ygh58vGvNs3OwKE9VJnoK1PNJzDgWPXF8oT25YwO+kVAKTrJVpDnlAbovsOhw8O
8e9prYUzV0wN9CFWYpApKkxWVsOBpNvUbLtGODXGjmUPdE5jL8tG2ARxCtPdhvgB
NGfF/QcHYwqPEied/VLLEqBBCEyIgdmXLhTVyVhifoZtCvb6IzcNXNeud34RYW9v
9ZIki3y9TU8kJXXbRMrEplXPl3MiqMwO03GwnFtVlkHEDqqxsJleEEhtjZf/iVLn
USZZGIo9muTp+KSFEb+77/NM7qTfKig/2MSKvmuVNHUvE0oH5JYC30N0wvejCX72
pSGZD7dTOT2/t7OIVyFaewvo2HeYvUtn/Iq7ce4jCcU1QqaGBjDgkgNnLYnsm+RE
Skqr5wPD0LcuENhm42Gn
=10pg
-----END PGP SIGNATURE-----


More information about the security mailing list