On Sep 10, 12:23 am, Harlan Stenn wrote:
> https://support.ntp.org/bugs/show_bug.cgi?id=1243talks about a bug that
> affects autokey users.
>
> We have a fix ready to go.
>
> There are 2 ways to go, however.
>
> One way is to just fix the problem, which will mean an "old" version of
> ntpd will no
David Mills wrote:
> Dave,
>
> Better do this quickly, cleanly and with minimum wiggle room. Otherwise,
> somebody who doesn't know anything will call it a security flaw, call
> the CERT and create an Incident.
You mean like 2009-USCERTv33I7IQA...
Todd
> This has happened before when somebody
Dave Hart wrote:
> On Fri, Sep 11, 2009 at 1:37 PM, Ryan Malayter wrote:
>
>> I don't use autokey in production, but I would also suggest that if
>> the issue causes the reference implementation to violate RFCs and also
>> creates a security issue with key shortening, it should be fixed
>> witho
Ryan Malayter wrote:
> I don't use autokey in production, but I would also suggest that if
> the issue causes the reference implementation to violate RFCs and also
> creates a security issue with key shortening, it should be fixed
> without any options to go back to the bad behavior. Actually, the
Dave,
Better do this quickly, cleanly and with minimum wiggle room. Otherwise,
somebody who doesn't know anything will call it a security flaw, call
the CERT and create an Incident. This has happened before when somebody
claimed a stack vulnerability which in fact was true in a most unlikely
c
On Fri, Sep 11, 2009 at 1:37 PM, Ryan Malayter wrote:
> I don't use autokey in production, but I would also suggest that if
> the issue causes the reference implementation to violate RFCs and also
> creates a security issue with key shortening, it should be fixed
> without any options to go back to
I don't use autokey in production, but I would also suggest that if
the issue causes the reference implementation to violate RFCs and also
creates a security issue with key shortening, it should be fixed
without any options to go back to the bad behavior. Actually, the
security issue might in fact
Harlan,
Folks should understand this is a rather trivial fix to make sure
autokeys are no shortened when a null byte is generated at random. The
bug has been present since 1993. Thus, "old" version will interoperate
as will "new" versions, but old and new will not. I would like to
simplify th
https://support.ntp.org/bugs/show_bug.cgi?id=1243 talks about a bug that
affects autokey users.
We have a fix ready to go.
There are 2 ways to go, however.
One way is to just fix the problem, which will mean an "old" version of
ntpd will not authenticate with a "new" version of ntpd.
The other