Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 Jan 2014 11:41:39 -0800
From:      Xin Li <delphij@delphij.net>
To:        Cristiano Deana <cristiano.deana@gmail.com>, Xin LI <d@delphij.net>
Cc:        freebsd-security@freebsd.org, Palle Girgensohn <girgen@freebsd.org>
Subject:   Re: NTP security hole CVE-2013-5211?
Message-ID:  <52D44173.1070007@delphij.net>
In-Reply-To: <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com>
References:  <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 01/13/14 02:08, Cristiano Deana wrote:
> On Fri, Jan 10, 2014 at 6:18 AM, Xin Li <delphij@delphij.net> wrote:
> 
> Hi,
> 
> We will have an advisory next week.  If a NTP server is properly
>> configured, it's likely that they are not affected
>>
> 
> I had this problem in november, and ask to -current to integrate the new
> versione of ntpd in base (see my mail "[request] ntp upgrade" 11/27/13
> http://lists.freebsd.org/pipermail/freebsd-current/2013-November/046822.html
> ).
> I tried several workaround with config and policy, and ended up you MUST
> have 4.2.7 to stop these kind of attacks.

Do you have packet captures?  If the configuration I have suggested
didn't stop the attack, you may have a different issue than what we have
found.

> I think it's better to upgrade the version in base AND to write a security
> advisory.

I wish we could, but 4.2.7 is a moving target right now.

Most Open Source projects does not provide support to their development
branch or snapshots, and it would be a headache in support prospective,
because once a FreeBSD release is released, we would support it for at
least 12 months (some releases are supported for 24 months or even more).

Cheers,
-- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52D44173.1070007>