[ntp:security] Security bugs fixed in 4.2.8p4

Danny Mayer mayer at pdmconsulting.net
Thu Oct 22 14:13:43 UTC 2015


On 10/22/2015 3:55 AM, Harlan Stenn wrote:
> Folks,
> 
> We resolved a number of security bugs in 4.2.87p4.
> 
> If anybody has time to help with the following I'd appreciate it.
> 
> 1) I didn't do a careful study of how far back any of the
> vulnerabilities go.  It would be useful if this could be done.  On the
> one hand I'm not terribly worried about this, as we only support 4.2.8.
>  But Kurt Roeckx, a debian guy, says he needs to maintain a bunch of
> different versions of 4.2.6 (for example) and he'd like some help.  I'd
> love to help him out, but we just don't have the resources.

Without funding it's not practical and you are the only one full time on
the project with development capabilities needed for such a thing. While
it's a nice-to-know, the habit of backporting patches is self-defeating
in the end because just testing the changes and making them available is
just as much effort as testing a new version and a backport may open up
new holes as unintended side effects as well as not including fixes made
between the two versions. I know that Redhat does this too but I think
anyone taking a patched version of a previous version is as much risk as
taking the new version.

> 
> 1b) Now I wonder if he'd be interested and willing to see if the Debian
> folks (assuming they are part of the Linux Foundation) to lobby them to
> a) directly support NTF, and b) get us more money.  I have no idea how
> Kurt feels about ESR.

Money from anywhere would be nice...

> 
> 2) Danny expressed a concern that a number of these bugs have
> attachments that I've uploaded from the original reports, and these
> include detailed exploit information.  He wonders if we should be making
> this information public.  I see pros/cons here, and our decision may be
> much easier if somebody(!) would look thru the TALOS website for each of
> these, because if they've published there then there's no reason we
> should not publish this as well.  We want to keep eyeballs on our
> websites, not redirect them to other sites.
> 
> Similarly, the Cisco and BU bug reports might have similar information
> on the bug reports, and if that information is also on their website
> pages there's no reason we should withhold publishing the bugs.
> 
> My goal here is to get our security bugs opened up ASAP.
> 
> I've also asked Gerv if there's a way we can restrict access to
> attachments.  If so, we can restrict those while we decide if they can
> be published or not.
>

If necessary can you just delete the attachments and put them back later
if you decide to post them?

Danny





More information about the security mailing list