From owner-freebsd-security@FreeBSD.ORG  Thu Jan  9 14:08:51 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 77F2F6D8;
 Thu,  9 Jan 2014 14:08:51 +0000 (UTC)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id CC3D8176B;
 Thu,  9 Jan 2014 14:08:50 +0000 (UTC)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: freebsd-security@freebsd.org
Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1])
 by eg.sd.rdtc.ru (8.14.7/8.14.7) with ESMTP id s09E8fDV098448;
 Thu, 9 Jan 2014 21:08:41 +0700 (NOVT)
 (envelope-from eugen@grosbein.net)
Message-ID: <52CEAD69.6090000@grosbein.net>
Date: Thu, 09 Jan 2014 21:08:41 +0700
From: Eugene Grosbein <eugen@grosbein.net>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/20130415 Thunderbird/17.0.5
MIME-Version: 1.0
To: Palle Girgensohn <girgen@FreeBSD.org>
Subject: Re: NTP security hole CVE-2013-5211?
References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org>
In-Reply-To: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-0.3 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 LOCAL_FROM autolearn=no version=3.3.2
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
 * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000] *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eg.sd.rdtc.ru
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 14:08:51 -0000

On 09.01.2014 19:38, Palle Girgensohn wrote:
> They recommend at least 4.2.7. Any thoughts about this?

Other than updating ntpd, you can filter out requests to 'monlist' command
with 'restrict ... noquery' option that disables some queries for
the internal ntpd status, including 'monlist'.

See http://support.ntp.org/bin/view/Support/AccessRestrictions for details.

Eugene Grosbein