[ntp:security] Security bugs fixed in 4.2.8p4

Harlan Stenn stenn at nwtime.org
Thu Oct 22 07:55:23 UTC 2015


We resolved a number of security bugs in 4.2.87p4.

If anybody has time to help with the following I'd appreciate it.

1) I didn't do a careful study of how far back any of the
vulnerabilities go.  It would be useful if this could be done.  On the
one hand I'm not terribly worried about this, as we only support 4.2.8.
 But Kurt Roeckx, a debian guy, says he needs to maintain a bunch of
different versions of 4.2.6 (for example) and he'd like some help.  I'd
love to help him out, but we just don't have the resources.

1b) Now I wonder if he'd be interested and willing to see if the Debian
folks (assuming they are part of the Linux Foundation) to lobby them to
a) directly support NTF, and b) get us more money.  I have no idea how
Kurt feels about ESR.

2) Danny expressed a concern that a number of these bugs have
attachments that I've uploaded from the original reports, and these
include detailed exploit information.  He wonders if we should be making
this information public.  I see pros/cons here, and our decision may be
much easier if somebody(!) would look thru the TALOS website for each of
these, because if they've published there then there's no reason we
should not publish this as well.  We want to keep eyeballs on our
websites, not redirect them to other sites.

Similarly, the Cisco and BU bug reports might have similar information
on the bug reports, and if that information is also on their website
pages there's no reason we should withhold publishing the bugs.

My goal here is to get our security bugs opened up ASAP.

I've also asked Gerv if there's a way we can restrict access to
attachments.  If so, we can restrict those while we decide if they can
be published or not.

Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!

More information about the security mailing list