[ntp:security] Talos VulnDev Follow up - NTP Vulnerability

Rich Johnson (richjoh) richjoh at cisco.com
Tue Apr 12 18:10:59 UTC 2016


Harlan, what is the release channel for folks who follow CERT? I’m unclear on what that means.


Regards,

Richard Johnson
Research Manager
Cisco Talos



From: Regina Wilson -T (regiwils - ETTAIN GROUP INC at Cisco)<mailto:regiwils at cisco.com>
Sent: Tuesday, April 12, 2016 12:57 PM
To: Harlan Stenn<mailto:stenn at nwtime.org>
Cc: security at ntp.org<mailto:security at ntp.org>; vulndev(mailer list)<mailto:vulndev at cisco.com>; Rich Johnson (richjoh)<mailto:richjoh at cisco.com>
Subject: Re: [ntp:security] Talos VulnDev Follow up - NTP Vulnerability

Hello Harlan,

Thank you for the updated timeline.  We will coordinate release on our end accordingly.

Kind Regards,
Regina Wilson
Project Coordinator, Open Source and Threat Intelligence
regiwils at cisco.com<mailto:regiwils at cisco.com>


[cid:AACBB485-2980-4FC8-8D27-319207FCAF01 at vrt.sourcefire.com]

On Apr 12, 2016, at 12:41 PM, Harlan Stenn <stenn at nwtime.org<mailto:stenn at nwtime.org>> wrote:

Hi Regina,

We're planning a pre-release to advance security release partners today, availability to folks who follow CERT next Tuesday, the 19th, and public release on Tuesday the 26th.
Sent from my iPhone - please excuse brevity and typos

On Apr 12, 2016, at 4:53 AM, Regina Wilson -T (regiwils - ETTAIN GROUP INC at Cisco) <regiwils at cisco.com<mailto:regiwils at cisco.com>> wrote:
Hello Harlan,

I’d like to confirm today’s version release which will address the identified vulnerabilities.  Please advise if there’s a particular time today which you’d like to coordinate the disclosure release.

Thank you,


Regina Wilson
Project Coordinator, Open Source and Threat Intelligence
regiwils at cisco.com<mailto:regiwils at cisco.com>


<talos_sig[4].png>

On Mar 25, 2016, at 8:15 AM, Regina Wilson -T (regiwils - ETTAIN GROUP INC at Cisco) <regiwils at cisco.com<mailto:regiwils at cisco.com>> wrote:

Thank you for the update.

Kind Regards,

Regina Wilson
Project Coordinator, Open Source and Threat Intelligence
regiwils at cisco.com<mailto:regiwils at cisco.com>


<talos_sig[4].png>

On Mar 24, 2016, at 10:25 PM, Harlan Stenn <stenn at nwtime.org<mailto:stenn at nwtime.org>> wrote:



On 3/24/16 6:17 AM, Regina Wilson -T (regiwils - ETTAIN GROUP INC at
Cisco) wrote:

Hello Harlan,

Can you also confirm if the following vuln will be addressed in the release?

TALOS-CAN-0132 - CVE-2016-1551

Yes, 018-refclock-peering (TALOS-CAN-0132) is fixed and will be part of
4.2.8p7.

H
---


I’ve attached encrypted zip file with advisory for your review.




*Regina Wilson*
Project Coordinator, Open Source and Threat Intelligence
regiwils at cisco.com<mailto:regiwils at cisco.com> <mailto:regiwils at cisco.com>






On Mar 23, 2016, at 8:40 AM, Regina Wilson -T (regiwils - ETTAIN GROUP INC at
Cisco) <regiwils at cisco.com<mailto:regiwils at cisco.com> <mailto:regiwils at cisco.com>> wrote:

Hello Harlan,

Thank you for the update.

Kind Regards,

*Regina Wilson*
Project Coordinator, Open Source and Threat Intelligence
regiwils at cisco.com<mailto:regiwils at cisco.com> <mailto:regiwils at cisco.com>


<talos_sig[4].png>


On Mar 22, 2016, at 4:58 PM, Harlan Stenn <stenn at nwtime.org<mailto:stenn at nwtime.org>
<mailto:stenn at nwtime.org>> wrote:

Hi,

These are all scheduled for the 4.2.8p7 release, which we now think will
be released to the public on 12 April.

On 3/22/16 7:10 AM, Regina Wilson -T (regiwils - ETTAIN GROUP INC at
Cisco) wrote:

Hello,

I am following up on any updates for disclosure release schedules for the
following vulnerabilities:

TALOS-CAN-0081 - CVE-2016-1547
TALOS-CAN-0082 - CVE-2016-1548
TALOS-CAN-0083 - CVE 2016-1549
TALOS-CAN-0084 - CVE 2016-1550

For further information about our disclosure process and PGP key for the
vulnerability team, please see
http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html

*Regina Wilson*
Project Coordinator, Open Source and Threat Intelligence
regiwils at cisco.com<mailto:regiwils at cisco.com> <mailto:regiwils at cisco.com><mailto:regiwils at cisco.com>

--
Harlan Stenn <stenn at nwtime.org<mailto:stenn at nwtime.org> <mailto:stenn at nwtime.org>>
http://networktimefoundation.org<http://networktimefoundation.org/> <http://networktimefoundation.org/>- be a
member!



--
Harlan Stenn <stenn at nwtime.org<mailto:stenn at nwtime.org>>
http://networktimefoundation.org<http://networktimefoundation.org/> - be a member!




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20160412/040e1da5/attachment-0001.html>


More information about the security mailing list