> See: > http://support.ntp.org/bin/view/Main/SecurityNotice
> You might want to upgrade or disable ntpd. It would really REALLY help if the report would give enough details for me to make an informed decision. There are three buffer overflows claimed that have almost no details given (or at least not in any way I've figured out how to get) - one of which, fortunately, does mention a detail that tells me I don't have occasino to care about it - and no fixes provided beyond "switch to this version", no matter how bad a fit that might be to your use case. Apparently they consider it acceptable to make me reproduce the work to figure out what the vulnerability is, rather than actually providing useful information about it. This does not inspire me to want to use their software. I've long been tempted to build my own NTP implementation, first to understand the protocol, then because the principal implementation is so badly documented (HTML as a documentation format? Seriously?!), now because they're not providing enough information about apparently-serious bugs to let me make an informed decision on what (if anything) to do, or to fix the version I'm running if that turns out to be a right answer. They appear to be under some sort of delusion that "switch versions" is an easy and reasonable thing for anyone to do. So far, I've held off because I've been intimidated by the apparent difficulty of getting all the details right, but it's definitely getting more difficult to justify holding off. It _is_ a documented protocol, after all. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
