[ntp:security] New NTP Defect Disclosure

Harlan Stenn stenn at nwtime.org
Wed Oct 7 17:16:24 UTC 2015


Are these public disclosures or initial / embargoed disclosures?

Sent from my iPhone - please excuse brevity and typos

> On Oct 7, 2015, at 9:16 AM, Harlan Stenn <stenn at nwtime.org> wrote:
> 
> Hi Matt,
> 
>> On 10/7/15 8:12 AM, Matthew Van Gundy wrote:
>> Hi Harlan,
>> 
>> ASIG has a number of defects to disclose today.  I noted that, in a
>> previous email to Rich Johnson, you asked if Brad Knowles had already
>> sent a copy of the new security at ntp.org key.  I haven't received an
>> email from Brad Knowles.  Would you prefer to send me the
>> security at ntp.org key or should I just encrypt the disclosures to you?
> 
> I thought I saw the email from Brad.
> 
> The security at ntp.org key should be on the public keyservers.  I've
> attached it here as well.
> 
>> Also, as all of the defects also affect NTPSec, so we will also be
>> disclosing the defects to them.  Would you prefer us to make a joint
>> disclosure: everyone on the same thread and a single bundle with the NTP
>> and NTPSec versions affected clearly delineated?  Or would you prefer us
>> to keep the threads with NTF and NTPSec separate?
> 
> I have a slight preference for keeping the threads separate.
> 
> -- 
> Harlan Stenn <stenn at nwtime.org>
> http://networktimefoundation.org - be a member!
> <0x0066B2FD.asc>
> _______________________________________________
> security mailing list
> security at lists.ntp.org
> http://lists.ntp.org/listinfo/security



More information about the security mailing list