Concerning the ntp-4.2.8p8 security fixes

Eric S. Raymond esr at
Fri Jun 3 15:15:13 UTC 2016

Daniel Franke <dfoxfranke at>:
> Anyway, although blew this advisory, they did get the patch
> correct, and as I reported in my previous email I've already ported
> and pushed that patch as of yesterday morning. I'm on the fence as to
> whether this bug is bad enough to merit tagging a release right away.
> Both and the Redhat folks who discovered the bug are
> downplaying it, but I'm leaning toward yes given that even
> *legitimate* leap seconds have a long history of creating ops havoc,
> so a bogus one could be especially insidious.

Yeouch! I think your caution is well-founded.  I also think it would
do NTPsec no harm to be *seen* to be more cautious and
security-sensitive than, even if this weren't a real ops

It's Mark's call, but my advice to him is to tag a release and make
a minor public fuss about's and Red Hat's dismissiveness.
		<a href="">Eric S. Raymond</a>

More information about the devel mailing list