From owner-freebsd-security@FreeBSD.ORG  Mon Dec 22 16:16:26 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3271A309
 for <freebsd-security@freebsd.org>; Mon, 22 Dec 2014 16:16:26 +0000 (UTC)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id EA49D3F92
 for <freebsd-security@freebsd.org>; Mon, 22 Dec 2014 16:16:25 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id E966593D5;
 Mon, 22 Dec 2014 16:16:24 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id D4E5047C6; Mon, 22 Dec 2014 17:16:15 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Winfried Neessen <neessen@cleverbridge.com>
Subject: Re: ntpd vulnerabilities
References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com>
Date: Mon, 22 Dec 2014 17:16:15 +0100
In-Reply-To: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com>
 (Winfried Neessen's message of "Mon, 22 Dec 2014 10:50:28 +0100
 (CET)")
Message-ID: <86a92fzmls.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2014 16:16:26 -0000

Winfried Neessen <neessen@cleverbridge.com> writes:
> there has been a security advisory for several vulnerabilities in ntpd. I=
s FreeBSD=20
> affected by this? According to http://www.kb.cert.org/vuls/id/852879 Open=
BSD is=20
> not affected, but I guess that's due to the fact, that they have OpenNTPd=
. The=20
> status for FreeBSD on that page is still "unknown".=20

Yes, FreeBSD is vulnerable, and we have informed CERT of that fact, so I
don't know why they have us down as "unknown".  We are preparing an
advisory for tomorrow.  As was the case with BIND, this takes more work
than for many other operating systems since we maintain older versions
in older branches; for instance, 8.4 has 4.2.4.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no