Date: Mon, 22 Dec 2014 10:39:54 -0700 From: Brett Glass <brett@lariat.net> To: Steve Clement <steve@localhost.lu>, Winfried Neessen <neessen@cleverbridge.com> Cc: freebsd-security@freebsd.org Subject: Re: ntpd vulnerabilities Message-ID: <201412221745.KAA28186@mail.lariat.net> In-Reply-To: <F7FACD2F-3AFE-4717-B4B9-B54A6FC70458@localhost.lu> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <B6AF154A-FE22-4357-9031-91D661FD7E57@localhost.lu> <F7FACD2F-3AFE-4717-B4B9-B54A6FC70458@localhost.lu>
next in thread | previous in thread | raw e-mail | index | archive | help
I'd like to propose that FreeBSD move to OpenNTPD, which appears to have none of the fixed or unfixed (!) vulnerabilities that are present in ntpd. There's already a port. --Brett Glass At 03:25 AM 12/22/2014, Steve Clement wrote: >Chances are good it is vulnerable: > >https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log ><https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log> >https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log ><https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log> > >Regarding the diff: > > diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l > 7723 > >Cherry picking the patches is easier. > >ntpd source trees: > >http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ ><http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/> >http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ ><http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/> > >Luckily that is still up… atm ntp.org is down. >Here is the cached version of the notice: >http://webcache.googleusercontent.com/search?q=cache:support.ntp.org/bin/view/Main/SecurityNotice > >-- >Steve Clement >https://www.twitter.com/SteveClement >mailto:steve@localhost.lu >.lu: +352 20 333 55 65 > > > On 22 Dec 2014, at 11:06, Steve Clement <steve@localhost.lu> wrote: > > > > If someone could share a diff between ntpd 4.2.7 and 4.2.8 > would be a good start. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412221745.KAA28186>