Date: Tue, 14 Jan 2014 19:42:47 -0800 From: Cy Schubert <Cy.Schubert@komquats.com> To: Remko Lodder <remko@FreeBSD.org> Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r339721 - head/security/vuxml Message-ID: <201401150342.s0F3glMg017283@slippy.cwsent.com> In-Reply-To: Message from Remko Lodder <remko@FreeBSD.org> of "Tue, 14 Jan 2014 21:15:11 %2B0000." <201401142115.s0ELFB1Q068278@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <201401142115.s0ELFB1Q068278@svn.freebsd.org>, Remko Lodder writes: > Author: remko (src,doc committer) > Date: Tue Jan 14 21:15:10 2014 > New Revision: 339721 > URL: http://svnweb.freebsd.org/changeset/ports/339721 > QAT: https://qat.redports.org/buildarchive/r339721/ > > Log: > Fix the latest entry, it has many issues, make validate > told us exactly what was wrong. I redid the entry and > just took out the ul/li structure and replaced it with > regular paragraphs. It might be worth investigating > to use the FreeBSD SA that got released because of this > as the main text, which is best suited imo. > > Hat: secteam > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================= > = > --- head/security/vuxml/vuln.xml Tue Jan 14 21:14:46 2014 (r33972 > 0) > +++ head/security/vuxml/vuln.xml Tue Jan 14 21:15:10 2014 (r33972 > 1) > @@ -52,7 +52,7 @@ Note: Please add new entries to the beg > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > <vuln vid="3d95c9a7-7d5c-11e3-a8c1-206a8a720317"> > - <topic>ntpd DRDoS / Amplification Attack using ntpdc monlist command </t > opic> > + <topic>ntpd DRDoS / Amplification Attack using ntpdc monlist command</to > pic> > <affects> > <package> > <name>ntp</name> > @@ -63,26 +63,23 @@ Note: Please add new entries to the beg > <body xmlns="http://www.w3.org/1999/xhtml">; > <p>ntp.org reports:</p> > <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#D > RDoS_Amplification_Attack_using"> > - <ul> > - <li> References: CVE-2013-5211 / VU#348126 > - <li>Versions: All releases prior to 4.2.7p26 > - <li>Date Resolved: 2010/04/24 > - <li>Summary: Unrestricted access to the monlist feature in ntp_requ > est.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denia > l of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) RE > Q_MON_GETLIST_1 requests, as exploited in the wild in December 2013 > - <li>Mitigation: > - <ul> > - <li>Upgrade to 4.2.7p26 or later. > - <li>Users of versions before 4.2.7p26 should either: > - <ul> > - <li>Use noquery to your default restrictions to block all s > tatus queries. > - <li>Use disable monitor to disable the ntpdc -c monlist com > mand while still allowing other status queries. > - </ul> > - </ul> > - </ul> > + <p>Unrestricted access to the monlist feature in > + ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote > + attackers to cause a denial of service (traffic > + amplification) via forged (1) REQ_MON_GETLIST or (2) > + REQ_MON_GETLIST_1 requests, as exploited in the wild in > + December 2013</p> > + <p>Use noquery to your default restrictions to block all > + status queries.</p> > + <p>Use disable monitor to disable the ``ntpdc -c monlist'' > + command while still allowing other status queries.</p> > </blockquote> > </body> > </description> > <references> > <cvename>CVE-2013-5211</cvename> > + <freebsdsa>SA-14:02.ntpd</freebsdsa> > + <url>http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplifi > cation_Attack_using</url> > </references> > <dates> > <discovery>2014-01-01</discovery> > > I'm sorry, my bad. There is no excuse for this. -- Cheers, Cy Schubert <Cy.Schubert@komquats.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401150342.s0F3glMg017283>