[ntp:security] Talos VulnDev Follow up - NTP Vulnerability

Harlan Stenn stenn at nwtime.org
Tue Apr 12 18:54:15 UTC 2016


Per usual, we'll tell CERT in a week about the pending release, list basic info about the fixed vulnerabilities and other fixes, say that our advance security patch partners got the code a week ago, that public release will be in 1 week and if anybody wants early access to the release they should contact Sue Graves at NTF. 

Sent from my iPhone - please excuse brevity and typos

> On Apr 12, 2016, at 11:10 AM, Rich Johnson (richjoh) <richjoh at cisco.com> wrote:
> 
> Harlan, what is the release channel for folks who follow CERT? I’m unclear on what that means.
>  
>  
> Regards,
>  
> Richard Johnson
> Research Manager
> Cisco Talos
>  
>  
>  
> From: Regina Wilson -T (regiwils - ETTAIN GROUP INC at Cisco)
> Sent: Tuesday, April 12, 2016 12:57 PM
> To: Harlan Stenn
> Cc: security at ntp.org; vulndev(mailer list); Rich Johnson (richjoh)
> Subject: Re: [ntp:security] Talos VulnDev Follow up - NTP Vulnerability
>  
> Hello Harlan,
>  
> Thank you for the updated timeline.  We will coordinate release on our end accordingly.
>  
> Kind Regards,
> Regina Wilson
> Project Coordinator, Open Source and Threat Intelligence
> regiwils at cisco.com
>  
> 
> 
>  
> On Apr 12, 2016, at 12:41 PM, Harlan Stenn <stenn at nwtime.org> wrote:
>  
> Hi Regina,
>  
> We're planning a pre-release to advance security release partners today, availability to folks who follow CERT next Tuesday, the 19th, and public release on Tuesday the 26th. 
> 
> Sent from my iPhone - please excuse brevity and typos
> 
> On Apr 12, 2016, at 4:53 AM, Regina Wilson -T (regiwils - ETTAIN GROUP INC at Cisco) <regiwils at cisco.com> wrote:
> 
> Hello Harlan,
>  
> I’d like to confirm today’s version release which will address the identified vulnerabilities.  Please advise if there’s a particular time today which you’d like to coordinate the disclosure release.
>  
> Thank you,
>  
>  
> Regina Wilson
> Project Coordinator, Open Source and Threat Intelligence
> regiwils at cisco.com
>  
> 
> <talos_sig[4].png>
>  
> On Mar 25, 2016, at 8:15 AM, Regina Wilson -T (regiwils - ETTAIN GROUP INC at Cisco) <regiwils at cisco.com> wrote:
>  
> Thank you for the update.
>  
> Kind Regards,
>  
> Regina Wilson
> Project Coordinator, Open Source and Threat Intelligence
> regiwils at cisco.com
>  
> 
> <talos_sig[4].png>
>  
> On Mar 24, 2016, at 10:25 PM, Harlan Stenn <stenn at nwtime.org> wrote:
>  
> 
> 
> On 3/24/16 6:17 AM, Regina Wilson -T (regiwils - ETTAIN GROUP INC at
> Cisco) wrote:
> 
> Hello Harlan,
> 
> Can you also confirm if the following vuln will be addressed in the release?
> 
> TALOS-CAN-0132 - CVE-2016-1551
> 
> Yes, 018-refclock-peering (TALOS-CAN-0132) is fixed and will be part of
> 4.2.8p7.
> 
> H
> ---
> 
> 
> I’ve attached encrypted zip file with advisory for your review.
> 
> 
> 
> 
> *Regina Wilson*
> Project Coordinator, Open Source and Threat Intelligence
> regiwils at cisco.com <mailto:regiwils at cisco.com>
> 
> 
> 
> 
> 
> 
> On Mar 23, 2016, at 8:40 AM, Regina Wilson -T (regiwils - ETTAIN GROUP INC at 
> Cisco) <regiwils at cisco.com <mailto:regiwils at cisco.com>> wrote:
> 
> Hello Harlan,
> 
> Thank you for the update.
> 
> Kind Regards,
> 
> *Regina Wilson*
> Project Coordinator, Open Source and Threat Intelligence
> regiwils at cisco.com <mailto:regiwils at cisco.com>
> 
> 
> <talos_sig[4].png>
> 
> 
> On Mar 22, 2016, at 4:58 PM, Harlan Stenn <stenn at nwtime.org 
> <mailto:stenn at nwtime.org>> wrote:
> 
> Hi,
> 
> These are all scheduled for the 4.2.8p7 release, which we now think will
> be released to the public on 12 April.
> 
> On 3/22/16 7:10 AM, Regina Wilson -T (regiwils - ETTAIN GROUP INC at
> Cisco) wrote:
> 
> Hello,
> 
> I am following up on any updates for disclosure release schedules for the
> following vulnerabilities:
> 
> TALOS-CAN-0081 - CVE-2016-1547
> TALOS-CAN-0082 - CVE-2016-1548
> TALOS-CAN-0083 - CVE 2016-1549
> TALOS-CAN-0084 - CVE 2016-1550
> 
> For further information about our disclosure process and PGP key for the
> vulnerability team, please see
> http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html
> 
> *Regina Wilson*
> Project Coordinator, Open Source and Threat Intelligence
> regiwils at cisco.com <mailto:regiwils at cisco.com><mailto:regiwils at cisco.com>
> 
> --
> Harlan Stenn <stenn at nwtime.org <mailto:stenn at nwtime.org>>
> http://networktimefoundation.org <http://networktimefoundation.org/>- be a 
> member!
>  
>  
> 
> -- 
> Harlan Stenn <stenn at nwtime.org>
> http://networktimefoundation.org - be a member!
> 
>  
>  
>  
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20160412/9f653e92/attachment-0001.html>


More information about the security mailing list