From owner-freebsd-security@FreeBSD.ORG Mon Jan 13 19:41:41 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 78A8AAB7; Mon, 13 Jan 2014 19:41:41 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 54CE91039; Mon, 13 Jan 2014 19:41:41 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [69.198.165.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 929942942B; Mon, 13 Jan 2014 11:41:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1389642100; bh=F9w4607gvpGpZLNXwDm0eGPFnAZ/dYGAJDOBoitu6UI=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=3pRwkVdY4vnfUS4mMMwwj11PG8J7HUQZWP8gVg2DfbVCr/a7MKM1OxC01ctpCdvXO j9VDZAB5XFVdWEKlDZo8gULIUTyvr9EjpB9cvE7/MHDvqdTWNtUNog7y6ScjvLkges 2+hB+cehCUH4z5BYsWcVJqN2kZh67HNMxLzM0ZyY= Message-ID: <52D44173.1070007@delphij.net> Date: Mon, 13 Jan 2014 11:41:39 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Cristiano Deana , Xin LI Subject: Re: NTP security hole CVE-2013-5211? References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, Palle Girgensohn X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jan 2014 19:41:41 -0000 On 01/13/14 02:08, Cristiano Deana wrote: > On Fri, Jan 10, 2014 at 6:18 AM, Xin Li wrote: > > Hi, > > We will have an advisory next week. If a NTP server is properly >> configured, it's likely that they are not affected >> > > I had this problem in november, and ask to -current to integrate the new > versione of ntpd in base (see my mail "[request] ntp upgrade" 11/27/13 > http://lists.freebsd.org/pipermail/freebsd-current/2013-November/046822.html > ). > I tried several workaround with config and policy, and ended up you MUST > have 4.2.7 to stop these kind of attacks. Do you have packet captures? If the configuration I have suggested didn't stop the attack, you may have a different issue than what we have found. > I think it's better to upgrade the version in base AND to write a security > advisory. I wish we could, but 4.2.7 is a moving target right now. Most Open Source projects does not provide support to their development branch or snapshots, and it would be a headache in support prospective, because once a FreeBSD release is released, we would support it for at least 12 months (some releases are supported for 24 months or even more). Cheers, -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die