From owner-freebsd-security@FreeBSD.ORG  Wed Dec 24 17:31:08 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id ACB0B405;
 Wed, 24 Dec 2014 17:31:08 +0000 (UTC)
Received: from hergotha.csail.mit.edu
 (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 67847107B;
 Wed, 24 Dec 2014 17:31:08 +0000 (UTC)
Received: from hergotha.csail.mit.edu (localhost [127.0.0.1])
 by hergotha.csail.mit.edu (8.14.9/8.14.9) with ESMTP id sBOHV332069720;
 Wed, 24 Dec 2014 12:31:03 -0500 (EST)
 (envelope-from wollman@hergotha.csail.mit.edu)
Received: (from wollman@localhost)
 by hergotha.csail.mit.edu (8.14.9/8.14.4/Submit) id sBOHV34p069717;
 Wed, 24 Dec 2014 12:31:03 -0500 (EST) (envelope-from wollman)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21658.63575.447695.575072@hergotha.csail.mit.edu>
Date: Wed, 24 Dec 2014 12:31:03 -0500
From: Garrett Wollman <wollman@bimajority.org>
To: Glen Barber <gjb@FreeBSD.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp
In-Reply-To: <20141224171203.GF40485@hub.FreeBSD.org>
References: <20141223233310.098C54BB6@nine.des.no>
 <20141224174216.6fd47466@azsupport.com>
 <20141224171203.GF40485@hub.FreeBSD.org>
X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (hergotha.csail.mit.edu [127.0.0.1]); Wed, 24 Dec 2014 12:31:03 -0500 (EST)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,
 HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 hergotha.csail.mit.edu
X-Mailman-Approved-At: Wed, 24 Dec 2014 18:14:10 +0000
Cc: freebsd-security@freebsd.org, Andrei <az@azsupport.com>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 17:31:08 -0000

<<On Wed, 24 Dec 2014 17:12:04 +0000, Glen Barber <gjb@FreeBSD.org> said:

> On Wed, Dec 24, 2014 at 05:42:16PM +0100, Andrei wrote:
>> On Wed, 24 Dec 2014 00:33:09 +0100 (CET)
>> FreeBSD Security Advisories <security-advisories@freebsd.org> wrote:
>> > ports, namely tcp/123 and udp/123 when it is not clear that all
>> > systems have been patched or have ntpd(8) stopped.
>> 
>> Why tcp/123?
>> 

>  gjb@nucleus:~ % grep -i ^ntp /etc/services
>  ntp             123/tcp    #Network Time Protocol
>  ntp             123/udp    #Network Time Protocol

It's IANA's policy to reserve the ports for both TCP and UDP.  NTP
does not use TCP, nor has it ever done so.  It's highly unlikely that
it ever will.  You might as well tell people to firewall 123/sctp as
well; it will have just as much effect.

-GAWollman