dfoxfra...@gmail.com said:
> I'm on the fence as to whether this bug is bad enough to merit tagging a
> release right away. Both NTP.org and the Redhat folks who discovered the bug
> are downplaying it, but I'm leaning toward yes given that even *legitimate*
> leap seconds have a long history of c
Yo Eric!
On Fri, 3 Jun 2016 11:15:13 -0400
"Eric S. Raymond" wrote:
> Yeouch! I think your caution is well-founded. I also think it would
> do NTPsec no harm to be *seen* to be more cautious and
> security-sensitive than NTP.org, even if this weren't a real ops
> issue.
+1. If the bug warrant
Daniel Franke :
> Anyway, although NTP.org blew this advisory, they did get the patch
> correct, and as I reported in my previous email I've already ported
> and pushed that patch as of yesterday morning. I'm on the fence as to
> whether this bug is bad enough to merit tagging a release right away.
As I suspected and Miroslav just confirmed
(http://bugs.ntp.org/show_bug.cgi?id=3044 comment #5, and in more
detail privately), the description of CVE-2016-4954 NTP.org's security
advisory is wrong. Here's how the vulnerability works and what an
attacker can do with it:
The receive() function runs
Daniel Franke :
> On 6/2/16, Sanjeev Gupta wrote:
> > On Fri, Jun 3, 2016 at 2:00 AM, Daniel Franke wrote:
> >
> >> The remaining, low-severity vulnerability, CVE-2016-4954
> >
> >
> > This alone is worth the price of admission.
> >
> > Who is writing the announcement to LWN?
>
> Before that I w
On 6/2/16, Sanjeev Gupta wrote:
> On Fri, Jun 3, 2016 at 2:00 AM, Daniel Franke wrote:
>
>> The remaining, low-severity vulnerability, CVE-2016-4954
>
>
> This alone is worth the price of admission.
>
> Who is writing the announcement to LWN?
Before that I want to make sure we get the impact ana
On 6/2/16, Eric S. Raymond wrote:
> You sent this to an archived public list. I take it that means the
> embargo is up and I can talk about this in public?
Yup, all advisories are posted publicly on ntp.org.
___
devel mailing list
devel@ntpsec.org
htt
Daniel Franke :
> NTP Classic 4.2.8-p8 was released today, containing fixes for one
> high-severity and four low-severity vulnerabilities. Four of these
> five vulnerabilities, including the high-severity one, do not impact
> NTPsec. CVE-2016-4956 and CVE-2016-4957 were introduced into NTP
> Classi
On Fri, Jun 3, 2016 at 2:00 AM, Daniel Franke wrote:
> The remaining, low-severity vulnerability, CVE-2016-4954
This alone is worth the price of admission.
Who is writing the announcement to LWN?
--
Sanjeev Gupta
+65 98551208 http://www.linkedin.com/in/ghane
_
NTP Classic 4.2.8-p8 was released today, containing fixes for one
high-severity and four low-severity vulnerabilities. Four of these
five vulnerabilities, including the high-severity one, do not impact
NTPsec. CVE-2016-4956 and CVE-2016-4957 were introduced into NTP
Classic by the patches for previ
10 matches
Mail list logo