From owner-freebsd-security@FreeBSD.ORG  Mon Dec 22 17:45:47 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E4848DFA
 for <freebsd-security@freebsd.org>; Mon, 22 Dec 2014 17:45:47 +0000 (UTC)
Received: from mail.lariat.net (mail.lariat.net [66.62.230.51])
 by mx1.freebsd.org (Postfix) with ESMTP id ABE1F620
 for <freebsd-security@freebsd.org>; Mon, 22 Dec 2014 17:45:47 +0000 (UTC)
Received: from Toshi.lariat.net (IDENT:ppp1000.lariat.net@localhost
 [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id KAA28186;
 Mon, 22 Dec 2014 10:45:33 -0700 (MST)
Message-Id: <201412221745.KAA28186@mail.lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 22 Dec 2014 10:39:54 -0700
To: Steve Clement <steve@localhost.lu>,
 Winfried Neessen <neessen@cleverbridge.com>
From: Brett Glass <brett@lariat.net>
Subject: Re: ntpd vulnerabilities
In-Reply-To: <F7FACD2F-3AFE-4717-B4B9-B54A6FC70458@localhost.lu>
References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com>
 <B6AF154A-FE22-4357-9031-91D661FD7E57@localhost.lu>
 <F7FACD2F-3AFE-4717-B4B9-B54A6FC70458@localhost.lu>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Mon, 22 Dec 2014 17:51:10 +0000
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2014 17:45:48 -0000

I'd like to propose that FreeBSD move to OpenNTPD, which appears to 
have none of the
fixed or unfixed (!) vulnerabilities that are present in ntpd. 
There's already a port.

--Brett Glass

At 03:25 AM 12/22/2014, Steve Clement wrote:

>Chances are good it is vulnerable:
>
>https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log 
><https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log>
>https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log 
><https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log>
>
>Regarding the diff:
>
>  diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l
>     7723
>
>Cherry picking the patches is easier.
>
>ntpd source trees:
>
>http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ 
><http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/>
>http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ 
><http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/>
>
>Luckily that is still up… atm ntp.org is down.
>Here is the cached version of the notice: 
>http://webcache.googleusercontent.com/search?q=cache:support.ntp.org/bin/view/Main/SecurityNotice
>
>--
>Steve Clement
>https://www.twitter.com/SteveClement
>mailto:steve@localhost.lu
>.lu: +352 20 333 55 65
>
> > On 22 Dec 2014, at 11:06, Steve Clement <steve@localhost.lu> wrote:
> >
> > If someone could share a diff between ntpd 4.2.7 and 4.2.8 
> would be a good start.
>