NTP security hole CVE-2013-5211?
Xin Li
delphij at delphij.net
Mon Jan 13 19:41:41 UTC 2014
On 01/13/14 02:08, Cristiano Deana wrote:
> On Fri, Jan 10, 2014 at 6:18 AM, Xin Li <delphij at delphij.net> wrote:
>
> Hi,
>
> We will have an advisory next week. If a NTP server is properly
>> configured, it's likely that they are not affected
>>
>
> I had this problem in november, and ask to -current to integrate the new
> versione of ntpd in base (see my mail "[request] ntp upgrade" 11/27/13
> http://lists.freebsd.org/pipermail/freebsd-current/2013-November/046822.html
> ).
> I tried several workaround with config and policy, and ended up you MUST
> have 4.2.7 to stop these kind of attacks.
Do you have packet captures? If the configuration I have suggested
didn't stop the attack, you may have a different issue than what we have
found.
> I think it's better to upgrade the version in base AND to write a security
> advisory.
I wish we could, but 4.2.7 is a moving target right now.
Most Open Source projects does not provide support to their development
branch or snapshots, and it would be a headache in support prospective,
because once a FreeBSD release is released, we would support it for at
least 12 months (some releases are supported for 24 months or even more).
Cheers,
--
Xin LI <delphij at delphij.net> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
More information about the freebsd-security
mailing list