[ntp:security] High severity vulnerability in ntpd-4.2.8p8

Harlan Stenn stenn at nwtime.org
Wed Jun 29 11:32:32 UTC 2016


Magnus,

Sue should be up in a couple of hours. How about we see what she recommends?

Sent from my iPhone - please excuse brevity and typos

> On Jun 29, 2016, at 4:14 AM, Magnus Stubman <magnus at stubman.eu> wrote:
> 
> 
> 
> 
>> On 29 Jun 2016, at 13:00, Harlan Stenn <stenn at nwtime.org> wrote:
>> 
>>> On 6/29/16 3:56 AM, Magnus Stubman wrote:
>>> I have two questions:
>>> 
>>> 1. Can you request a CVE for this vulnerability?
>> 
>> Yes.  Sue, might I bother you to handle this?
> 
> Sure. How is it usually done? Sending an encrypted request to cve-assign at mitre.org ?
> What information should be included in the request?
> 
> Is there any special namedropping or reference which can be provided to speed up the process for mitre? I hear that they are quite slow these days..
> 
> My initial guess would be that it would be faster if the request came from you, since I am a “new face” to mitre.
> 
> The most important thing is that a CVE is available upon release of p9.
> 
>> 
>>> 2. When will the patch be released to the public?
>> 
>> In 4.2.8p9, which will probably happen in about 3 weeks' time.
>> 
>> We have other things to fix in p9 as well, and those *should* be
>> finished in a week, if all goes well.  Then the OS distribution folks
>> like to have 2 weeks' to prepare their releases.
>> 
>> -- 
>> Harlan Stenn <stenn at nwtime.org>
>> http://networktimefoundation.org - be a member!
> 
> 
> 
> - Magnus Stubman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20160629/48d71896/attachment.html>


More information about the security mailing list