[ntp:security] NTP security release VU#961909
stenn at nwtime.org
Thu Feb 22 00:10:38 UTC 2018
On 2/21/18 3:28 PM, Art Manion wrote:
> On 2/20/18 6:56 PM, Harlan Stenn wrote:
> (Please note the tracking ID switch to VU#961909...)
So I should list/track all of the security issues listed for p11 under
> I know I'm behind, but your notice looks great and Garret sent our
> notification out around 11 AM EST today.
> We'll stand by if any issues come up, but don't plan to publish our own
> I think you said you were getting CVE IDs for these? We'd like to make
> sure that the CVE IDs are issues and populated. We'd be happy to help.
> The evolving CVE model is that the assigner should (ideally) fill out
> the entries and submit them back to CVE/MITRE.
We have CVE numbers for all of them.
I didn't include them in the release as information about the bugs and
their fixes are generally embargoed.
Mitre already has the descriptions from when I opened the CVE requests,
and they said they'd fill out the details when we went public.
I'm happy to send CERT the details now, if you prefer.
> - Art
>> The NTP Project at Network Time Foundation plans to release ntp-4.2.8p11
>> on Tuesday, 27 February 2018.
>> This release fixes 6 security items:
>> * 2 low/medium -severity issues in ntpd
>> * 1 informational/medium -severity issue in ntpd
>> * 2 low-severity issues in ntpd
>> * 1 medium-severity issue in ntpq
>> Ntp-4.2.8p11 also includes 65 other non-security fixes and improvements.
>> The NTP Project expects this to be the FINAL RELEASE of the 4.2.8 major
>> release series. Ntp-4.4.0 will be the next major release of the NTP
>> Reference Implementation, and is expected to be available later this
>> Institutional members of the NTP Consortium at Network Time Foundation
>> have already received details of these security items, and received
>> early access to the source code for ntp-4.2.8p11 on 23 January 2018,
>> with an updated tarball on 12 February 2018.
>> If you would like to learn more about the details of what will be fixed
>> in ntp-4.2.8p11 or obtain access to the source code before the public
>> release, please contact Steve Sullivan <stevos at nwtime.org> .
>> * 2018 TENTATIVE: Feb 27: Public release
>> * 2018 Feb 20: CERT notified
>> * 2018 Feb 12: Updated code released to Advance Security
>> Partners containing security * fixes for Bugs 3453
>> and 3454, and FIPS and multicast regressions.
>> * 2018 Feb 05: Bugs 3453 and 3454 reported. Release delayed.
>> * 2018 Jan 23: Initial code release to Advance Security Partners
Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!
More information about the security