Concerning the ntp-4.2.8p8 security fixes
Eric S. Raymond
esr at thyrsus.com
Fri Jun 3 15:15:13 UTC 2016
Daniel Franke <dfoxfranke at gmail.com>:
> Anyway, although NTP.org blew this advisory, they did get the patch
> correct, and as I reported in my previous email I've already ported
> and pushed that patch as of yesterday morning. I'm on the fence as to
> whether this bug is bad enough to merit tagging a release right away.
> Both NTP.org and the Redhat folks who discovered the bug are
> downplaying it, but I'm leaning toward yes given that even
> *legitimate* leap seconds have a long history of creating ops havoc,
> so a bogus one could be especially insidious.
Yeouch! I think your caution is well-founded. I also think it would
do NTPsec no harm to be *seen* to be more cautious and
security-sensitive than NTP.org, even if this weren't a real ops
It's Mark's call, but my advice to him is to tag a release and make
a minor public fuss about NTP.org's and Red Hat's dismissiveness.
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
More information about the devel