From owner-freebsd-security@FreeBSD.ORG  Tue Jan 14 15:40:22 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 8C6135C1;
 Tue, 14 Jan 2014 15:40:22 +0000 (UTC)
Received: from wonkity.com (wonkity.com [67.158.26.137])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3DC3C11F7;
 Tue, 14 Jan 2014 15:40:21 +0000 (UTC)
Received: from wonkity.com (localhost [127.0.0.1])
 by wonkity.com (8.14.7/8.14.7) with ESMTP id s0EFe5KP097559;
 Tue, 14 Jan 2014 08:40:05 -0700 (MST)
 (envelope-from wblock@wonkity.com)
Received: from localhost (wblock@localhost)
 by wonkity.com (8.14.7/8.14.7/Submit) with ESMTP id s0EFe1rJ097556;
 Tue, 14 Jan 2014 08:40:04 -0700 (MST)
 (envelope-from wblock@wonkity.com)
Date: Tue, 14 Jan 2014 08:40:01 -0700 (MST)
From: Warren Block <wblock@wonkity.com>
To: Eugene Grosbein <eugen@grosbein.net>
Subject: Re: UNS: Re: NTP security hole CVE-2013-5211?
In-Reply-To: <52D543B4.8090700@grosbein.net>
Message-ID: <alpine.BSF.2.00.1401140839260.96143@wonkity.com>
References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org>
 <52CEAD69.6090000@grosbein.net>
 <21199.26019.698585.355699@hergotha.csail.mit.edu>
 <868uuid7y3.fsf@nine.des.no> <52D543B4.8090700@grosbein.net>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (wonkity.com [127.0.0.1]); Tue, 14 Jan 2014 08:40:05 -0700 (MST)
Content-Type: TEXT/PLAIN; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
Cc: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>,
 Palle Girgensohn <girgen@FreeBSD.org>,
 Garrett Wollman <wollman@bimajority.org>, freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 15:40:22 -0000

On Tue, 14 Jan 2014, Eugene Grosbein wrote:

> On 14.01.2014 20:11, Dag-Erling Smørgrav wrote:
>> Garrett Wollman <wollman@bimajority.org> writes:
>>> For a "pure" client, I would suggest "restrict default ignore" ought
>>> to be the norm.  (Followed by entries to unrestrict localhost over v4
>>> and v6.)
>>
>> Pure clients shouldn't use ntpd(8).  They should use sntp(8) or a
>> lightweight NTP client like ttsntpd.
>
> $ man sntp
> No manual entry for sntp
> $ whereis sntp
> sntp: /usr/sbin/sntp
>
> That's first time I see a reference to sntp(8) for FreeBSD
> while using it since 2.2.5-RELEASE.
>
> Is it documented somewhere?

sntp.1 is in contrib/ntp/sntp/, but it's never installed.
From owner-freebsd-security@FreeBSD.ORG  Tue Jan 14 19:11:00 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A49B536C;
 Tue, 14 Jan 2014 19:11:00 +0000 (UTC)
Received: from keltia.net (aran.keltia.net [88.191.250.24])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6562215BC;
 Tue, 14 Jan 2014 19:10:59 +0000 (UTC)
Received: from [192.168.1.18] (foret.keltia.net [78.232.116.160])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested) (Authenticated sender: roberto)
 by keltia.net (Postfix) with ESMTPSA id 0AB5A52B2;
 Tue, 14 Jan 2014 20:11:04 +0100 (CET)
From: "Ollivier Robert" <roberto@keltia.net>
To: "Karl Pielorz" <kpielorz_lst@tdx.co.uk>
Subject: Re: ntpd 4.2.4p8 - up to date?
Date: Tue, 14 Jan 2014 20:10:55 +0100
Message-ID: <47C93A3E-7DFE-4093-BB31-3F3C67E5FED3@keltia.net>
In-Reply-To: <F148DAE409EE1AAB9AA06D6C@study64.tdx.co.uk>
References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk>
 <CAFHbX1LAcE4c_E5J4pdny0hkz=GTPghmsB0kRuTDQdP9S8PCHg@mail.gmail.com>
 <E520736B-8D62-4A97-AFFD-14F44B1CC290@FreeBSD.org>
 <F148DAE409EE1AAB9AA06D6C@study64.tdx.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate Trial (1.7.2r3905)
X-Mailman-Approved-At: Tue, 14 Jan 2014 19:25:20 +0000
Cc: freebsd-security@freebsd.org, Dimitry Andric <dim@FreeBSD.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 19:11:00 -0000

On 2 Nov 2013, at 20:24, Karl Pielorz wrote:

> So as I'd kind of guessed - it's not really vanilla 4.2.4p8 that it's 
> running, it's based on 4.2.4p8 with additional patches that have been 
> applied by FreeBSD, to address the applicable notifications?

Yes.