[ntp:security] [VU#961909] NTP security release

Harlan Stenn stenn at nwtime.org
Wed Feb 21 23:29:15 UTC 2018


Thanks, Garret!

H

On 2/21/18 7:27 AM, CERT(R) Coordination Center wrote:
> Hi Harlan,
> 
> This advisory looks fine. I am sending this to our vendor mailing lists right now. We're not planning to publish and will instead direct vendors to contact you directly (at the info listed in the advisory).
> 
> Let us know if you have any other questions.
> 
> 
> Best Regards,
> 
> Garret WASSERMANN
> 
> Vulnerability Analysis Team
> CERT Coordination Center (CERT/CC)
> A division of:
> Software Engineering Institute
> Carnegie Mellon University
> 
> Harlan Stenn <stenn at nwtime.org> writes:
>> Hi Art,
> 
>> How's this:
> 
>> The NTP Project at Network Time Foundation plans to release ntp-4.2.8p11
>> on Tuesday, 27 February 2018.
> 
>> This release fixes 6 security items:
>> * 2 low/medium -severity issues in ntpd
>> * 1 informational/medium -severity issue in ntpd
>> * 2 low-severity issues in ntpd
>> * 1 medium-severity issue in ntpq
> 
>> Ntp-4.2.8p11 also includes 65 other non-security fixes and improvements.
> 
>> The NTP Project expects this to be the FINAL RELEASE of the 4.2.8 major
>> release series.  Ntp-4.4.0 will be the next major release of the NTP
>> Reference Implementation, and is expected to be available later this summer.
> 
>> Institutional members of the NTP Consortium at Network Time Foundation
>> have already received details of these security items, and received
>> early access to the source code for ntp-4.2.8p11 on 23 January 2018,
>> with an updated tarball on 12 February 2018.
> 
>> If you would like to learn more about the details of what will be fixed
>> in ntp-4.2.8p11 or obtain access to the source code before the public
>> release, please contact Steve Sullivan <stevos at nwtime.org> .
> 
>> Timeline:
>> * 2018 TENTATIVE: Feb 27: Public release
>> * 2018 Feb 20: CERT notified
>> * 2018 Feb 12: Updated code released to Advance Security
>> 	Partners containing security * fixes for Bugs 3453
>> 	and 3454, and FIPS and multicast regressions.
>> * 2018 Feb 05: Bugs 3453 and 3454 reported.  Release delayed.
>> * 2018 Jan 23: Initial code release to Advance Security Partners
> 

-- 
Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 699 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ntp.org/private/security/attachments/20180221/62e1cd2d/attachment.sig>


More information about the security mailing list