From owner-svn-ports-all@FreeBSD.ORG Wed Jan 15 03:42:55 2014 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DBD668FB; Wed, 15 Jan 2014 03:42:55 +0000 (UTC) Received: from smtp-out-02.shaw.ca (smtp-out-03.shaw.ca [64.59.136.139]) by mx1.freebsd.org (Postfix) with ESMTP id 8C75A1083; Wed, 15 Jan 2014 03:42:54 +0000 (UTC) X-Cloudmark-SP-Filtered: true X-Cloudmark-SP-Result: v=1.1 cv=tLeJwtg1FCvAouMblIYY1Z5/U6XdMrtw4y2B9g+QINc= c=1 sm=1 a=523BiwpbsN0A:10 a=QrugwKR0C_UA:10 a=wAGQQ9Az6v0A:10 a=BLceEmwcHowA:10 a=ICAaq7hcmGcA:10 a=kj9zAlcOel0A:10 a=IbtKDeXwb2+SRU442/pi3A==:17 a=6I5d2MoRAAAA:8 a=KC9ug_Y4AAAA:8 a=5089wCahAAAA:8 a=SSmOFEACAAAA:8 a=85N1-lAfAAAA:8 a=BWvPGDcYAAAA:8 a=FFH7f4evIkkOXgNLGiUA:9 a=CjuIK1q_8ugA:10 a=R9ZztV9jq3kA:10 a=V7tsTZBp22UA:10 a=SV7veod9ZcQA:10 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117 Received: from unknown (HELO spqr.komquats.com) ([96.50.7.119]) by smtp-out-02.shaw.ca with ESMTP; 14 Jan 2014 20:42:47 -0700 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 387879BEA; Tue, 14 Jan 2014 19:42:47 -0800 (PST) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.14.7/8.14.7) with ESMTP id s0F3glMg017283; Tue, 14 Jan 2014 19:42:47 -0800 (PST) (envelope-from Cy.Schubert@komquats.com) Message-Id: <201401150342.s0F3glMg017283@slippy.cwsent.com> X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.5 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: Remko Lodder Subject: Re: svn commit: r339721 - head/security/vuxml In-Reply-To: Message from Remko Lodder of "Tue, 14 Jan 2014 21:15:11 +0000." <201401142115.s0ELFB1Q068278@svn.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 14 Jan 2014 19:42:47 -0800 Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Cy Schubert List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jan 2014 03:42:55 -0000 In message <201401142115.s0ELFB1Q068278@svn.freebsd.org>, Remko Lodder writes: > Author: remko (src,doc committer) > Date: Tue Jan 14 21:15:10 2014 > New Revision: 339721 > URL: http://svnweb.freebsd.org/changeset/ports/339721 > QAT: https://qat.redports.org/buildarchive/r339721/ > > Log: > Fix the latest entry, it has many issues, make validate > told us exactly what was wrong. I redid the entry and > just took out the ul/li structure and replaced it with > regular paragraphs. It might be worth investigating > to use the FreeBSD SA that got released because of this > as the main text, which is best suited imo. > > Hat: secteam > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================= > = > --- head/security/vuxml/vuln.xml Tue Jan 14 21:14:46 2014 (r33972 > 0) > +++ head/security/vuxml/vuln.xml Tue Jan 14 21:15:10 2014 (r33972 > 1) > @@ -52,7 +52,7 @@ Note: Please add new entries to the beg > --> > > > - ntpd DRDoS / Amplification Attack using ntpdc monlist command opic> > + ntpd DRDoS / Amplification Attack using ntpdc monlist command pic> > > > ntp > @@ -63,26 +63,23 @@ Note: Please add new entries to the beg > >

ntp.org reports:

> -
> -
References: CVE-2013-5211 / VU#348126 > -
Versions: All releases prior to 4.2.7p26 > -
Date Resolved: 2010/04/24 > -
Summary: Unrestricted access to the monlist feature in ntp_requ > est.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denia > l of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) RE > Q_MON_GETLIST_1 requests, as exploited in the wild in December 2013 > -
Mitigation: > -
> -
Upgrade to 4.2.7p26 or later. > -
Users of versions before 4.2.7p26 should either: > -
> -
Use noquery to your default restrictions to block all s > tatus queries. > -
Use disable monitor to disable the ntpdc -c monlist com > mand while still allowing other status queries. > -
> -
> -
> +
Unrestricted access to the monlist feature in > + ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote > + attackers to cause a denial of service (traffic > + amplification) via forged (1) REQ_MON_GETLIST or (2) > + REQ_MON_GETLIST_1 requests, as exploited in the wild in > + December 2013
> +
Use noquery to your default restrictions to block all > + status queries.
> +
Use disable monitor to disable the ``ntpdc -c monlist'' > + command while still allowing other status queries.
>

> > > > CVE-2013-5211 > + SA-14:02.ntpd > + http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplifi > cation_Attack_using > > > 2014-01-01 > > I'm sorry, my bad. There is no excuse for this. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.