Date: Tue, 5 Nov 2013 16:17:37 +0000 From: Tom Evans <tevans.uk@googlemail.com> To: Dimitry Andric <dim@freebsd.org> Cc: freebsd-security@freebsd.org, Karl Pielorz <kpielorz_lst@tdx.co.uk> Subject: Re: ntpd 4.2.4p8 - up to date? Message-ID: <CAFHbX1LBn5rEhQOdPaThAmgf765VBpyU5Y1U3rbh59yy9jKecg@mail.gmail.com> In-Reply-To: <E520736B-8D62-4A97-AFFD-14F44B1CC290@FreeBSD.org> References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> <CAFHbX1LAcE4c_E5J4pdny0hkz=GTPghmsB0kRuTDQdP9S8PCHg@mail.gmail.com> <E520736B-8D62-4A97-AFFD-14F44B1CC290@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 2, 2013 at 12:18 AM, Dimitry Andric <dim@freebsd.org> wrote: > On 01 Nov 2013, at 17:31, Tom Evans <tevans.uk@googlemail.com> wrote: >> On Fri, Nov 1, 2013 at 4:05 PM, Karl Pielorz <kpielorz_lst@tdx.co.uk> wrote: >>> >>> Hi, >>> >>> A friend who uses linux a lot happened to notice on a FreeBSD box I >>> installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. >>> >>> They reckon that's had a lot of issues (e.g. CVE reports) against it - and >>> it should be newer. >>> >>> I'm sure the one it has been 'updated' with is secure - and just reports >>> that version, but if someone can confirm that'd be great, >>> >> >> Don't take anything I say as confirmation, but I would have thought, >> looking at this page [1], that he is wrong. All the CVEs listed there >> say they apply to "before 4.2.4p8" or a lower version. >> >> Cheers >> >> Tom >> >> [1] http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html > > That page lists a bunch of CVEs, and the relevant ones have already had FreeBSD security advisories: > > CVE-2009-3563 http://www.freebsd.org/security/advisories/FreeBSD-SA-10:02.ntpd.asc > CVE-2009-1252 http://www.freebsd.org/security/advisories/FreeBSD-SA-09:11.ntpd.asc > CVE-2009-0159 not relevant, NTP before 4.2.4p7-RC2 > CVE-2009-0021 not relevant, NTP before 4.2.4p5 > CVE-2004-0657 not relevant, NTP before 4.0 > > -DImitry > Which is what I said? FreeBSD is currently at 4.2.4p8, all those CVEs apply to "before 4.2.4p8". Cheers Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFHbX1LBn5rEhQOdPaThAmgf765VBpyU5Y1U3rbh59yy9jKecg>