[ntp:security] High severity vulnerability in ntpd-4.2.8p8

Magnus Stubman magnus at stubman.eu
Wed Jun 29 11:14:21 UTC 2016




> On 29 Jun 2016, at 13:00, Harlan Stenn <stenn at nwtime.org> wrote:
> 
> On 6/29/16 3:56 AM, Magnus Stubman wrote:
>> I have two questions:
>> 
>> 1. Can you request a CVE for this vulnerability?
> 
> Yes.  Sue, might I bother you to handle this?

Sure. How is it usually done? Sending an encrypted request to cve-assign at mitre.org <mailto:cve-assign at mitre.org> ?
What information should be included in the request?

Is there any special namedropping or reference which can be provided to speed up the process for mitre? I hear that they are quite slow these days..

My initial guess would be that it would be faster if the request came from you, since I am a “new face” to mitre.

The most important thing is that a CVE is available upon release of p9.

> 
>> 2. When will the patch be released to the public?
> 
> In 4.2.8p9, which will probably happen in about 3 weeks' time.
> 
> We have other things to fix in p9 as well, and those *should* be
> finished in a week, if all goes well.  Then the OS distribution folks
> like to have 2 weeks' to prepare their releases.
> 
> -- 
> Harlan Stenn <stenn at nwtime.org>
> http://networktimefoundation.org - be a member!
> 



- Magnus Stubman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20160629/52f9e112/attachment.html>


More information about the security mailing list