|Latest Resolved Issues
March 2017 ntp-4.2.8p10 Security Announcement
This latest version addresses the following:
All of the security issues in the release are included in VU#325539. All the Cure53 discovered bugs used Pentest report 01.2017.
Network Time Foundation is Improving its NTP Project Security with NTS – Network Time Security Project – read our latest blog
When we discover a security vulnerability in NTP we follow our Phased Vulnerability Process which includes first notifying Institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally make a public announcement.
Security Patch Policy
When security patches are ready, they are first given to Premier and Partner Institutional members of the NTP Consortium at Network Time Foundation, then access instructions are provided to CERT, and finally the public release is made on the embargo date.
For more information about our NTP Consortium and how to become a member, see (http://www.nwtime.org/membership/benefits/)
Reporting Security Issues
Security related bugs, confirmed or suspected, are to be reported by e-mail to email@example.com.
Do not disclose details with unencrypted email-we will exchange PGP keys for further discussion.
You can also use our NTP Security Officer Key, for reporting issues you have verified are security related.
Please refrain from discussing potential security issues in public fora such as the comp.protocols.time.ntp Usenet news-group, our Bug Tracking system, firstname.lastname@example.org, or any other mailing-list.
Network Time Foundation is continually looking for ways to improve the NTP code. We have announced the Network Time Security project (NTS), replacing Autokey, and will soon be announcing the first production release of the NTP “leaf node” client from the Ntimed Project.
For years NTF’s NTP Project has routinely submitted the NTP code base through Coverity’s security analysis scans and in 2015 we went from several hundred issues found — down to nine. That gives us a “defect density” rating of 0.05, or 1 defect detected for every 20,000 lines of code scanned. For comparison, the average defect density of other open source projects of our size category is 0.5, or one defect for every 2,000 lines of code.
NTF’s NTP Project code base has also been run through Veracode and HP’s Fortify on Demand (FoD).
We especially want to thank all of our volunteers who have contributed bug fixes and improvements over the years and continue to do so. You can learn about them from our bug database and ChangeLog file.