on the NTP security issues and fixes
Eric S. Raymond
esr at thyrsus.com
Thu May 5 02:47:49 UTC 2016
Daniel Franke <dfoxfranke at gmail.com>:
> Well, that was scary and a little overwhelming but it turns out we're
> in remarkably good shape: I've now merged patches for what look to be
> the only three out of the eleven issues that impact us, and two of
> those only dubiously qualify as vulnerabilities at all. Before I ask
> Mark to tag a release I need to take a second look at couple of these
> and then write release notes, but if you're already running a git
> snapshot of NTPsec then now's a fine time to pull.
Mark, the thing to emphasize in talking to LF and others is that 8 out
of those 11 CVEs didn't affect us because we had *already removed the
attack surface*. This is really vindicating our approach of aggressively
chiseling off misfeatures and cruft as a way to improve security.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
More information about the devel
mailing list