From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 18:57:29 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 789B3788 for ; Mon, 22 Dec 2014 18:57:29 +0000 (UTC) Received: from sasl.smtp.pobox.com (pb-smtp1.int.icgroup.com [208.72.237.35]) by mx1.freebsd.org (Postfix) with ESMTP id 3358B1986 for ; Mon, 22 Dec 2014 18:57:28 +0000 (UTC) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 6AA0B273D5 for ; Mon, 22 Dec 2014 13:52:39 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=OcX7lARNqxRNKLt7RpHTYkynVyQ=; b=MvTRszY O8JfuMbCEIXItlKyqVjsjUdUeAwnPf9nE6kj1MoFY+61iV6828qq5o+TiLe0op5U nKXiniOy7uCR2h08ra+fqOSrPi1tfSvj1YsmNxzPz/CEjSUF2FMH9wdc657oPrWB 3DWb+xrLD5CZs5UmmDf/5Y7vn82gZNSSlJmw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=OW77nBs1sfk8FrbIKMlT3Zqqe++Tk8RAh ZzBfyNXpV0CNTJGjPEWoQ4tKlDDNujkGHklg8YJAs/cWM4FQ2FourgackVXXPwop PB6Ax3mipawi5L4uvNIKDTZcLR7XHOYRy9cn0nvh5e4MC4DkjrNVaiKDIXPmJIHy cG9/PiADgE= Received: from pb-smtp1.int.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 61CAB273D4 for ; Mon, 22 Dec 2014 13:52:39 -0500 (EST) Received: from localhost (unknown [50.90.2.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id ECC7E273D2 for ; Mon, 22 Dec 2014 13:52:38 -0500 (EST) Date: Mon, 22 Dec 2014 13:52:38 -0500 From: Chris Nehren To: freebsd-security@freebsd.org Subject: Re: ntpd vulnerabilities Message-ID: <20141222185238.GA3308@behemoth.lan> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <201412221745.KAA28186@mail.lariat.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: <201412221745.KAA28186@mail.lariat.net> User-Agent: Mutt/1.5.23 (2014-03-12) X-Pobox-Relay-ID: B38FBBE4-8A0B-11E4-9D76-42529F42C9D4-49531120!pb-smtp1.pobox.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 18:57:29 -0000 --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 22, 2014 at 10:39:54 -0700, Brett Glass wrote: > I'd like to propose that FreeBSD move to OpenNTPD, which appears to=20 > have none of the > fixed or unfixed (!) vulnerabilities that are present in ntpd.=20 > There's already a port. Heartbleed, more than any other vulnerability in recent memory, showed us users on the outside of the Project just how much effort is involved in patching the base system (thank you, again, DES, for being patient and explaining all the details!). Because of this, I am reticent to support more software going into the base system. It should be small enough to build itself and bootstrap the ports tree, with very little else. The more things are in base, the more things the developers need to worry about patching across all the different supported versions of FreeBSD. It's a lot faster to update a port to use a different version. If you want fast security updates, use ports. Or hire developers to patch software for you. --=20 Chris Nehren --liOOAslEiF7prFVr Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJdBAABCABHBQJUmGhXQBSAAAAAABUAInBrYS1hZGRyZXNzQGdudXBnLm9yZ2Nu ZWhyZW4rZnJlZWJzZC1zZWN1cml0eUBwb2JveC5jb20ACgkQEcD4YkAzS8/tKQ// aRjd8hJfVyKbkRHPh2tpAT5d1YFQunoe6MhS/xi5IX83WdHXTDbxekFZ8stgi29W JKeYtuwtHWJs4+83SC5rzdw4jRueyohFyioBrgT5LOAEk+4C1sKlC3MdZYDyZqpB u7pQE19mzT7lfWDJikzYsprem2ggeE5cuuGvBvZDkzQXECEaG1NuIXkPxMR0wrmf ilMqtvPtvKKTT90V2xs9pfKU4Sm/LDbXjWXW3fdS4HI3WBOtWBqsaJccJWZmU5qu 407YdhCoAdkzt8SNI+ZkXigW/ciBMVE4OZoB+esPm4WeyF6hXW91rl/zGLuYs8gm rTQt6iu/t+hT3dBX37+EzwnVuodPD+8kaiifBRkHC/nFf7SPbwe9LAKCpAaXSqc7 LQfFbmuCFngOlJoDfTZHoZs8q9v1fII1cPI2KBVZJlaPLG1RAtmZU2InBTniJmJI pSIFhnuR0CEfkDvo9SWEJg8feZTRnmY4f2S1zB3JJ+ao1OsF2MSkyWo864mGC+Pn 8pKuXCRCOfrNWNQeuqYYidEWJlj/lEXmR5DNUn1iwd3mYoswstkCQK11xmI7uj2U XQQZ0d6f2/77kEtBph3KDsXD2oYfbkIauWoC5dUg3uMicu53Bg+vvs27MinH6iNL DQYh1OhGGBd2w89KfKAkvIMUw0YZ5dchY9fztAHDPfU= =Efq5 -----END PGP SIGNATURE----- --liOOAslEiF7prFVr--