Yet another NTP security bug we fixed before the CVE issued

Eric S. Raymond esr at thyrsus.com
Sat Oct 29 05:26:25 UTC 2016


Harlan Stenn <stenn at ntp.org>:
> Interleave is the best way to get the next major step in accurate time
> using the NTP Protocol.  Yes, it needs work.  A reference implementation
> is where this work happens.

Daniel Franke judges the interleave concept doesn't actually work well
enough to be worth its code weight, and that Mills believed otherwise
because of an error he failed to notice in the timestamp handling.  I
have not looked myself, but I have found Daniel very reliable when he
says such things.

> Yes, we have another release about to happen.  Mostly "security" bugs
> that folks will not see, if they're being at all responsible.

They certainly won't see those bugs in NTPsec -- Daniel briefed me about
90 minutes ago, and even if we hadn't I knew we were pre-armored
against 3/4ths of the CVEs that hit you guys this year.  Might just have
something to do with having removed 153KLOC of useless code and winding
up with less than a third of the attack surface you guys have exposed. 

> Eric, you are loved and appreciated, and respected and admired.

That's nice.  It's a damn shame you didn't "admire" me (and my team
members) enough to join forces with us when we were trying to avoid a
fork, rather than fighting us and forcing one to happen.  Your choice,
your consequences.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>


More information about the NANOG mailing list