[ntp:security] Cisco ASIG NTP Defect Batch 1

Matthew Van Gundy mvangund at cisco.com
Thu Oct 8 12:53:44 UTC 2015

Hi Harlan,

On 10/8/15 3:47 AM, Harlan Stenn wrote:
> Folks,
> Seeing a "batch 1" makes me wonder how many other batches there are.

Right now, there is only one batch.  Unfortunately, since finding
vulnerabilities is a process of discovering the previously unknown, we
can't anticipate the timing.  However, we endeavor to report defects as
quickly after we find them as possible rather than delay release until
our evaluation is over.  Under the assumption that there may be future
batches, I attached a version number to try to avoid confusion.

> We also need to decide how soon to release the updates based on batch 1.
> It will be Difficult but possibly doable (not sure yet) to get these
> released as part of 4.2.8p4, in a few days' time.
> If we don't do this soon, I'd like to wait a month before releasing p5,
> and this also depends on if there are more issues coming.

Obviously, releasing fixes as soon as possible is always preferable.
However, I think that you and your team are in the best place to judge
what the appropriate timeline is for making changes, testing, etc.
before a release.  But, if it helps, at this time there is no "Batch 2"
in the pipeline that you should be waiting for.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ntp.org/private/security/attachments/20151008/8b98d766/attachment.sig>

More information about the security mailing list