devel@ntpsec.org said: > Thanks for spotting that. We'll ship a CVE and a point release shortly.
It was easy to spot. The test case didn't work and there was garbage in the log. There are two more bugs/quirks that I'm investigating. I don't think either is worth waiting for. If you typo the file name on the cert-file in something like server <server-name> nts ca <cert-file-name> it logs an error message, then exits. That happens in the DNS worker thread. Remember all the work we did to make msyslog work with threads? We didn't fix all the main code to be thread friendly. We did add a trap for calling lib_getbuf() from a non-main thread. exit() calls all the unwind hooks (from the non-main thread) and before long, that trap goes off. We could peek ahead to see if the file works. The idea with the exit was so you would know there was a problem and could fix it rather than have to poke around to figure out why it wasn't working. I think it's easy to make that particular error fail rather than exit. But there are lots of others. We could make a ntp_exit that sets a flag to disable the trap. Mumble. The other quirk is noval when using old-enough versions of OpenSSL. I think it doesn't work - certificate checking is built into the code. That area is tangled up with host name checking. I'd like to make sure I understand that area. There is another 1/2 a bug. I fixed the -4 and -6 flags to apply to both the NTS-KE server and the NTP server. Before that fix, if you did server -4 foo nts server -6 foo nts and foo said to use NTP server named "bar" and bar had both -4 and -6 addresses, the second one didn't work. Or something like that. I've seen some fishy printout in the logs (wrong port) so some extra checking seems worthwhile. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
