Date: Tue, 14 Jan 2014 21:15:11 +0000 (UTC) From: Remko Lodder <remko@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r339721 - head/security/vuxml Message-ID: <201401142115.s0ELFB1Q068278@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: remko (src,doc committer) Date: Tue Jan 14 21:15:10 2014 New Revision: 339721 URL: http://svnweb.freebsd.org/changeset/ports/339721 QAT: https://qat.redports.org/buildarchive/r339721/ Log: Fix the latest entry, it has many issues, make validate told us exactly what was wrong. I redid the entry and just took out the ul/li structure and replaced it with regular paragraphs. It might be worth investigating to use the FreeBSD SA that got released because of this as the main text, which is best suited imo. Hat: secteam Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Jan 14 21:14:46 2014 (r339720) +++ head/security/vuxml/vuln.xml Tue Jan 14 21:15:10 2014 (r339721) @@ -52,7 +52,7 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; <vuln vid="3d95c9a7-7d5c-11e3-a8c1-206a8a720317"> - <topic>ntpd DRDoS / Amplification Attack using ntpdc monlist command </topic> + <topic>ntpd DRDoS / Amplification Attack using ntpdc monlist command</topic> <affects> <package> <name>ntp</name> @@ -63,26 +63,23 @@ Note: Please add new entries to the beg <body xmlns="http://www.w3.org/1999/xhtml">; <p>ntp.org reports:</p> <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using">; - <ul> - <li> References: CVE-2013-5211 / VU#348126 - <li>Versions: All releases prior to 4.2.7p26 - <li>Date Resolved: 2010/04/24 - <li>Summary: Unrestricted access to the monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013 - <li>Mitigation: - <ul> - <li>Upgrade to 4.2.7p26 or later. - <li>Users of versions before 4.2.7p26 should either: - <ul> - <li>Use noquery to your default restrictions to block all status queries. - <li>Use disable monitor to disable the ntpdc -c monlist command while still allowing other status queries. - </ul> - </ul> - </ul> + <p>Unrestricted access to the monlist feature in + ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote + attackers to cause a denial of service (traffic + amplification) via forged (1) REQ_MON_GETLIST or (2) + REQ_MON_GETLIST_1 requests, as exploited in the wild in + December 2013</p> + <p>Use noquery to your default restrictions to block all + status queries.</p> + <p>Use disable monitor to disable the ``ntpdc -c monlist'' + command while still allowing other status queries.</p> </blockquote> </body> </description> <references> <cvename>CVE-2013-5211</cvename> + <freebsdsa>SA-14:02.ntpd</freebsdsa> + <url>http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using</url>; </references> <dates> <discovery>2014-01-01</discovery>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401142115.s0ELFB1Q068278>