From owner-freebsd-security@FreeBSD.ORG Tue Nov 5 16:17:40 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 128021BF; Tue, 5 Nov 2013 16:17:40 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6709A2319; Tue, 5 Nov 2013 16:17:39 +0000 (UTC) Received: by mail-la0-f46.google.com with SMTP id el20so687238lab.5 for ; Tue, 05 Nov 2013 08:17:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=CN8fVRfa6FsQr7OXlf6AD5gTTzER2WaitsucTI+4/bA=; b=gcbLu6pldM1fWd1KnIq3tengRSeostUSbYUd9jpLFAen5G7k/mdmbaJRDCQSGbhX1b d4R4zpMMhPKJlrD0z7EZcxUYwipF9FVkoindLlbR7GlnocfE1LOXPEM9AVsL5Y0DghiJ 8qaoHo34NoXcME7V6AxjYId6QeLk0PAQnC3wVGZ3y1fDLkulxshuxcp/t89m+Vtn8U2p KvB4/xwpFDU5qmTYhe/n4GbmOUH6wbXFuZXuE+Zk27tZktycBdSZSPVuq86ZmYSeRQxS Q1kxfIOPCab505ZqAY9jXf9CPJ9CYKPFE3lwACTRVAHp2NTSnWtozKoPsd1T7In4YGIn vtwQ== MIME-Version: 1.0 X-Received: by 10.152.22.170 with SMTP id e10mr34627laf.78.1383668257461; Tue, 05 Nov 2013 08:17:37 -0800 (PST) Received: by 10.112.5.138 with HTTP; Tue, 5 Nov 2013 08:17:37 -0800 (PST) In-Reply-To: References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> Date: Tue, 5 Nov 2013 16:17:37 +0000 Message-ID: Subject: Re: ntpd 4.2.4p8 - up to date? From: Tom Evans To: Dimitry Andric Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org, Karl Pielorz X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Nov 2013 16:17:40 -0000 On Sat, Nov 2, 2013 at 12:18 AM, Dimitry Andric wrote: > On 01 Nov 2013, at 17:31, Tom Evans wrote: >> On Fri, Nov 1, 2013 at 4:05 PM, Karl Pielorz wrote: >>> >>> Hi, >>> >>> A friend who uses linux a lot happened to notice on a FreeBSD box I >>> installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. >>> >>> They reckon that's had a lot of issues (e.g. CVE reports) against it - and >>> it should be newer. >>> >>> I'm sure the one it has been 'updated' with is secure - and just reports >>> that version, but if someone can confirm that'd be great, >>> >> >> Don't take anything I say as confirmation, but I would have thought, >> looking at this page [1], that he is wrong. All the CVEs listed there >> say they apply to "before 4.2.4p8" or a lower version. >> >> Cheers >> >> Tom >> >> [1] http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html > > That page lists a bunch of CVEs, and the relevant ones have already had FreeBSD security advisories: > > CVE-2009-3563 http://www.freebsd.org/security/advisories/FreeBSD-SA-10:02.ntpd.asc > CVE-2009-1252 http://www.freebsd.org/security/advisories/FreeBSD-SA-09:11.ntpd.asc > CVE-2009-0159 not relevant, NTP before 4.2.4p7-RC2 > CVE-2009-0021 not relevant, NTP before 4.2.4p5 > CVE-2004-0657 not relevant, NTP before 4.0 > > -DImitry > Which is what I said? FreeBSD is currently at 4.2.4p8, all those CVEs apply to "before 4.2.4p8". Cheers Tom