Yet another NTP security bug we fixed before the CVE issued
http://forums.theregister.co.uk/forum/1/2016/10/28/researchers_tag_new_brace... That'd be another CVE that NTPsec dodges before it's issued. We removed interleaved mode months ago because the code smelled bad and turned out to have an implementation error in the timestamp handling. On past performance, there'll be about a 75% chance each that we've pre-fixed the other new security bugs. -- <a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
"Eric S. Raymond" writes:
...
Yawn. We disabled interleave a while ago. Interleave is the best way to get the next major step in accurate time using the NTP Protocol. Yes, it needs work. A reference implementation is where this work happens. Yes, we have another release about to happen. Mostly "security" bugs that folks will not see, if they're being at all responsible. Eric, you are loved and appreciated, and respected and admired. -- Harlan Stenn <stenn@ntp.org> http://networktimefoundation.org - be a member!
Harlan Stenn <stenn@ntp.org>:
Interleave is the best way to get the next major step in accurate time using the NTP Protocol. Yes, it needs work. A reference implementation is where this work happens.
Daniel Franke judges the interleave concept doesn't actually work well enough to be worth its code weight, and that Mills believed otherwise because of an error he failed to notice in the timestamp handling. I have not looked myself, but I have found Daniel very reliable when he says such things.
Yes, we have another release about to happen. Mostly "security" bugs that folks will not see, if they're being at all responsible.
They certainly won't see those bugs in NTPsec -- Daniel briefed me about 90 minutes ago, and even if we hadn't I knew we were pre-armored against 3/4ths of the CVEs that hit you guys this year. Might just have something to do with having removed 153KLOC of useless code and winding up with less than a third of the attack surface you guys have exposed.
Eric, you are loved and appreciated, and respected and admired.
That's nice. It's a damn shame you didn't "admire" me (and my team members) enough to join forces with us when we were trying to avoid a fork, rather than fighting us and forcing one to happen. Your choice, your consequences. -- <a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
participants (2)
-
Eric S. Raymond
-
Harlan Stenn