[ntp:security] NTP security release VU#961909

Art Manion amanion at cert.org
Wed Feb 21 23:28:33 UTC 2018


On 2/20/18 6:56 PM, Harlan Stenn wrote:

(Please note the tracking ID switch to VU#961909...)

I know I'm behind, but your notice looks great and Garret sent our notification out around 11 AM EST today.

We'll stand by if any issues come up, but don't plan to publish our own advisory.

I think you said you were getting CVE IDs for these?  We'd like to make sure that the CVE IDs are issues and populated.  We'd be happy to help.  The evolving CVE model is that the assigner should (ideally) fill out the entries and submit them back to CVE/MITRE.

Regards,

  - Art


  
> The NTP Project at Network Time Foundation plans to release ntp-4.2.8p11
> on Tuesday, 27 February 2018.
> 
> This release fixes 6 security items:
> * 2 low/medium -severity issues in ntpd
> * 1 informational/medium -severity issue in ntpd
> * 2 low-severity issues in ntpd
> * 1 medium-severity issue in ntpq
> 
> Ntp-4.2.8p11 also includes 65 other non-security fixes and improvements.
> 
> The NTP Project expects this to be the FINAL RELEASE of the 4.2.8 major
> release series.  Ntp-4.4.0 will be the next major release of the NTP
> Reference Implementation, and is expected to be available later this summer.
> 
> Institutional members of the NTP Consortium at Network Time Foundation
> have already received details of these security items, and received
> early access to the source code for ntp-4.2.8p11 on 23 January 2018,
> with an updated tarball on 12 February 2018.
> 
> If you would like to learn more about the details of what will be fixed
> in ntp-4.2.8p11 or obtain access to the source code before the public
> release, please contact Steve Sullivan <stevos at nwtime.org> .
> 
> Timeline:
> * 2018 TENTATIVE: Feb 27: Public release
> * 2018 Feb 20: CERT notified
> * 2018 Feb 12: Updated code released to Advance Security
> 	Partners containing security * fixes for Bugs 3453
> 	and 3454, and FIPS and multicast regressions.
> * 2018 Feb 05: Bugs 3453 and 3454 reported.  Release delayed.
> * 2018 Jan 23: Initial code release to Advance Security Partners
> 
> 



More information about the security mailing list