Concerning the ntp-4.2.8p8 security fixes
Eric S. Raymond
esr at thyrsus.com
Thu Jun 2 18:13:48 UTC 2016
Daniel Franke <dfoxfranke at gmail.com>:
> NTP Classic 4.2.8-p8 was released today, containing fixes for one
> high-severity and four low-severity vulnerabilities. Four of these
> five vulnerabilities, including the high-severity one, do not impact
> NTPsec. CVE-2016-4956 and CVE-2016-4957 were introduced into NTP
> Classic by the patches for previous vulnerabilities; in both cases,
> NTPsec fixed these earlier vulnerabilities in a different fashion and
> resultingly did not introduce the new ones. CVE-2016-4953 and
> CVE-2016-4955 are Autokey-related; Autokey was removed from NTPsec as
> of 0.9.3 and was already forcibly compiled out in all earlier
> releases. (Note, though, that NTP Classic users can be impacted by
> CVE-2016-4953 even if they do not use Autokey; they need only have
> support for it enabled at compile time).
>
> The remaining, low-severity vulnerability, CVE-2016-4954
> (http://support.ntp.org/bin/view/Main/NtpBug3044) does affect NTPsec;
> its most significant impact is that packets which fail anti-spoofing
> sanity checks may nonetheless be sufficient to inject bogus leap
> seconds into a client's clock. I've ported and pushed the fix.
You sent this to an archived public list. I take it that means the
embargo is up and I can talk about this in public?
4 of 5 dodged including two because we got the fix right the first
time seems like it's woth a mention on NANOG, backing up rather
dramatically our previous claim to be doing a dramatically better job
on security.
Mark, part of my premise here is that it's time to start raising our
visibility in anticipation of a 1.0 release.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
More information about the devel
mailing list