[ntp:security] NTP security release VU#961909

Harlan Stenn stenn at nwtime.org
Thu Feb 22 00:10:38 UTC 2018



On 2/21/18 3:28 PM, Art Manion wrote:
> On 2/20/18 6:56 PM, Harlan Stenn wrote:
> 
> (Please note the tracking ID switch to VU#961909...)

Thanks, Art!

So I should list/track all of the security issues listed for p11 under
VU#961909 ?

> I know I'm behind, but your notice looks great and Garret sent our
> notification out around 11 AM EST today.
> 
> We'll stand by if any issues come up, but don't plan to publish our own
> advisory.
> 
> I think you said you were getting CVE IDs for these?  We'd like to make
> sure that the CVE IDs are issues and populated.  We'd be happy to help. 
> The evolving CVE model is that the assigner should (ideally) fill out
> the entries and submit them back to CVE/MITRE.

We have CVE numbers for all of them.

I didn't include them in the release as information about the bugs and
their fixes are generally embargoed.

Mitre already has the descriptions from when I opened the CVE requests,
and they said they'd fill out the details when we went public.

I'm happy to send CERT the details now, if you prefer.

H
--
> Regards,
> 
>  - Art
> 
> 
>  
>> The NTP Project at Network Time Foundation plans to release ntp-4.2.8p11
>> on Tuesday, 27 February 2018.
>>
>> This release fixes 6 security items:
>> * 2 low/medium -severity issues in ntpd
>> * 1 informational/medium -severity issue in ntpd
>> * 2 low-severity issues in ntpd
>> * 1 medium-severity issue in ntpq
>>
>> Ntp-4.2.8p11 also includes 65 other non-security fixes and improvements.
>>
>> The NTP Project expects this to be the FINAL RELEASE of the 4.2.8 major
>> release series.  Ntp-4.4.0 will be the next major release of the NTP
>> Reference Implementation, and is expected to be available later this
>> summer.
>>
>> Institutional members of the NTP Consortium at Network Time Foundation
>> have already received details of these security items, and received
>> early access to the source code for ntp-4.2.8p11 on 23 January 2018,
>> with an updated tarball on 12 February 2018.
>>
>> If you would like to learn more about the details of what will be fixed
>> in ntp-4.2.8p11 or obtain access to the source code before the public
>> release, please contact Steve Sullivan <stevos at nwtime.org> .
>>
>> Timeline:
>> * 2018 TENTATIVE: Feb 27: Public release
>> * 2018 Feb 20: CERT notified
>> * 2018 Feb 12: Updated code released to Advance Security
>>     Partners containing security * fixes for Bugs 3453
>>     and 3454, and FIPS and multicast regressions.
>> * 2018 Feb 05: Bugs 3453 and 3454 reported.  Release delayed.
>> * 2018 Jan 23: Initial code release to Advance Security Partners
>>
>>
> 
> 

-- 
Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!


More information about the security mailing list