NTP security hole CVE-2013-5211?

Xin Li delphij at delphij.net
Fri Jan 10 05:18:58 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 1/9/14, 6:12 AM, Palle Girgensohn wrote:
> 
> 9 jan 2014 kl. 15:08 skrev Eugene Grosbein <eugen at grosbein.net>:
> 
>> On 09.01.2014 19:38, Palle Girgensohn wrote:
>>> They recommend at least 4.2.7. Any thoughts about this?
>> 
>> Other than updating ntpd, you can filter out requests to
>> 'monlist' command with 'restrict ... noquery' option that
>> disables some queries for the internal ntpd status, including
>> 'monlist'.
>> 
>> See http://support.ntp.org/bin/view/Support/AccessRestrictions
>> for details.
> 
> Yes. But shouldn't there be a security advisory for FreeBSD
> specifically?

We will have an advisory next week.  If a NTP server is properly
configured, it's likely that they are not affected (the old FreeBSD
default is a little bit vague on how to properly configure the daemon,
though; the new default on -CURRENT and supported -STABLE branches
should be sufficient to provide protection).

Cheers,

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSz4K/AAoJEJW2GBstM+nsoUAQAIR/IQrDnVlWYyQfRdL8dUQV
fuR0FSyE84rcaHR8GJ9D5ApWbB1GrO61VE+NkMp7wBhZ1UmSseMX8J63aXz7gEna
O7Lgsigjt0CloQk5A+uoiSuKxuicy3OaO5m9dYEb9/hIt2QgLzuWJEFxYYxtzNqp
16ndCq9BXRIjqiYjcH1rTqKmHvnOGDGLNDpArVDEkqToHur72d051xDUPHBUJzir
FMkuIroiucLd5fHp90L7ZkDl/g2xOFEqd6U9XIExusCDPYzA/KYZNFnEegPpAuuD
GXQ6wSDIVZzqgjuzERgw8ElaQ50NUvr4FWLTV6HV7aa+Ut5UF4CeFoBYf2xO1uUu
FravU2uoiOVqjir1UtNEY1yP3fXceegkT8T+4e+oCTUslSBVXsiES8iSfHQib0eK
wMSwelFCflfrLwiq97GjetBS66EUn00y/U3M3RUjlx4e0FIycLi5ZYy4XMkJlM2a
jXE63iynfk9N02tO3/K1a8Yrp7mIYY3drn43BOJeXL72QMumFxi81aO4NQdrBTMw
X49unE6bK4RZ5Ao4SdAWP/2vJfFnYLamc3cr1fvZ14XEyEXuVygmojoPPRdYkuj7
2OfMUv2m1BUUR8P4XIe6GN3UIY+kgK+JxddCU1WmLV8lYNloP0hQD62jtrB6J4A4
OzC38C6p+35khP0bZLhO
=wpEM
-----END PGP SIGNATURE-----


More information about the freebsd-security mailing list