From owner-freebsd-stable@FreeBSD.ORG Wed Sep 3 09:56:59 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 641951A4 for ; Wed, 3 Sep 2014 09:56:59 +0000 (UTC) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) by mx1.freebsd.org (Postfix) with ESMTP id E166F1C99 for ; Wed, 3 Sep 2014 09:56:58 +0000 (UTC) Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3hp0tJ5qWRzLS for ; Wed, 3 Sep 2014 11:56:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= user-agent:message-id:references:in-reply-to:organization :subject:subject:from:from:date:date:content-transfer-encoding :content-type:content-type:mime-version:received:received :received:received; s=jakla2; t=1409738211; x=1412330212; bh=1Xi cs/lgwsZVvSKFBNeZimuEL1wvFD0iUwTYZ8ZV8VA=; b=LM1FWX10YhkvVH5rSir UW6nunxj4JEjXVU9dnOvsJw0g23yksWBhh9113gET1NR96vtPC54u0hlTjJYNaJs 1pkgLtp5MXmGgmkCykO4N3JJNfZHTEj9aKPwBd7Q+v5e7WL9hGTPW711s5R3Ywf8 HMM9y50AecrVgGsc/E3d3kH8= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012) with ESMTP id Bpk023epgxEK for ; Wed, 3 Sep 2014 11:56:51 +0200 (CEST) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP for ; Wed, 3 Sep 2014 11:56:51 +0200 (CEST) Received: from neli.ijs.si (neli.ijs.si [IPv6:2001:1470:ff80:88:21c:c0ff:feb1:8c91]) by mildred.ijs.si (Postfix) with ESMTP id 3hp0tC3dHmz10d for ; Wed, 3 Sep 2014 11:56:51 +0200 (CEST) Received: from sleepy.ijs.si ([2001:1470:ff80:e001::1:1]) by neli.ijs.si with HTTP (HTTP/1.1 POST); Wed, 03 Sep 2014 11:56:51 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 03 Sep 2014 11:56:51 +0200 From: Mark Martinec To: freebsd-stable@freebsd.org Subject: Re: Stale NTP software included in FreeBSD (RELEASE/STABLE/CURRENT) Organization: J. Stefan Institute In-Reply-To: <20140903061024.GA14382@rwpc15.gfn.riverwillow.net.au> References: <20140903061024.GA14382@rwpc15.gfn.riverwillow.net.au> Message-ID: <5152f44f37895d107ae439997bc4cc3c@mailbox.ijs.si> X-Sender: Mark.Martinec+freebsd@ijs.si User-Agent: Roundcube Webmail/1.0.2 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2014 09:56:59 -0000 2014-09-03 08:10, John Marshall wrote: > All of the following FreeBSD releases included stale NTP software at > the > time of their release. > > 8.3-RELEASE (ntp 4.2.4p5) > 8.4-RELEASE (ntp 4.2.4p5) > 9.0-RELEASE (ntp 4.2.4p8) > 9.1-RELEASE (ntp 4.2.4p8) > 9.2-RELEASE (ntp 4.2.4p8) > 9.3-RELEASE (ntp 4.2.4p8) > 10.0-RELEASE (ntp 4.2.4p8) > > ntp 4.2.4 is the version that shipped in all of the above releases and > is also included in 10-STABLE and 11-CURRENT at present. ntp 4.2.4 was > superseded by the ntp 4.2.6 release on 12-Dec-2009. Is there any > interest in getting a supported version of the ntp software into the > upcoming 10.1 release? I would have thought that the latest patch > release of the stable ntp version (4.2.6p5 24-DEC-2011) would be > appropriate? I know that the ntp folks are working on releasing 4.2.8 > but it isn't quite there yet. > > I understand that this is a volunteer project and that volunteers don't > have time to do everything. I'm just waving the flag in case this is > something that may have been overlooked. > > Thank you to all those committers who look after vendor imports for all > of the contributed software that helps make up the FreeBSD releases. A version ntp-4.2.6p5 is in ports (net/ntp), but is marked as forbidden due to CVE-2013-5211: The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. Just recently I came across another problem with the 4.2.4 from base, which ended up with me opening a PR on the ntp bugzilla: Bug 2648 - 'restrict default' should imply both IP protocol families http://bugs.ntp.org/show_bug.cgi?id=2648 ... only to realize later that by mistake I was testing against the FreeBSD base version of ntp, and the problem is fixed in net/ntp-devel . The thing is that when trying to address the amplification attack by restricting ntp queries, it turns out that the 'restrict default' only applies to IPv4, and the IPv6 access is left open wide. Still need to figure out which version fixed that, it works as expected in the current 4.2.7p470. So, I'm definitely for upgrading the ntp to something more recent. The exact version remains to be investigated. Mark