From owner-freebsd-stable@FreeBSD.ORG Wed Sep 3 11:10:38 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 064FD5B8 for ; Wed, 3 Sep 2014 11:10:38 +0000 (UTC) Received: from nm15-vm6.bullet.mail.ir2.yahoo.com (nm15-vm6.bullet.mail.ir2.yahoo.com [212.82.96.203]) by mx1.freebsd.org (Postfix) with ESMTP id 68B9C1742 for ; Wed, 3 Sep 2014 11:10:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ymail.com; s=s2048; t=1409742510; bh=0wbj3Vfo2TSVk8MdMsIe9ytibfzsCu6FthuP9rm7ST4=; h=Received:Received:Received:DKIM-Signature:X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:X-Received:MIME-Version:Received:In-Reply-To:References:From:Date:Message-ID:Subject:To:Content-Type:From:Subject; b=uRDIcTrDgekejop/4nxZgpYSbvYhEpG/NXJcmGGmIUKfJoRnELs1S9o/Dng99NrIEmEsY8h43UAW9XXFUtDjrVYy0V+sIwFoU8UvtlbcRWXSN/qY5zOiRYGRr2eZgsYjYNJ1iI+nqesr5ob4GHJiLLZl3TAn0qclvN2LwxJCq3EzBt3XuRVKi/Uv+fniotYfPWuXF9Y81ePL4KpDKVz1OnXtXTA9OW1YtFvDZJLOKR/i32r/1K5JfJQQ8UK52LYKopu2yozh8knZBCC+3WqAYwgdbC7adpHtfMcWNDaROlKLWj3a9QRCNJKmJACEF3w57jivTd0R8Ljontc66cTokw== DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=ymail.com; b=BLu/B3rjnW5ZFnPdR3vxEjcI2QQHXoFQ572czagtxfibFnatmQkldZ2sj338stNGBVFUgfezpCCC3XxQRGjbbNFS+VdkBmht9NhBDPyCnJZhzC+koKCN5OGCMffx3DzGQ+dih51o66/REIBMqgYy4Lp2FTwcWm4oFAg8Z3d0UUGXhT5XpQAFLWsV1DkatSseyXdW3FYcptztOyrvvIsUJcNzvu6ICaHyKvwnbkcvl6UyIsCpriDVABp0QymBthTyeuAcTRG03IlvG13BZY32IMqIV24snd7GwzakL6ImwzaDKh4WjqI8mPWYuwMmSMpX2P4f0Q657t9E7Gxg9kqF5Q==; Received: from [212.82.98.59] by nm15.bullet.mail.ir2.yahoo.com with NNFMP; 03 Sep 2014 11:08:30 -0000 Received: from [46.228.39.87] by tm12.bullet.mail.ir2.yahoo.com with NNFMP; 03 Sep 2014 11:08:30 -0000 Received: from [127.0.0.1] by smtp124.mail.ir2.yahoo.com with NNFMP; 03 Sep 2014 11:08:29 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ymail.com; s=s1024; t=1409742509; bh=0wbj3Vfo2TSVk8MdMsIe9ytibfzsCu6FthuP9rm7ST4=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:X-Received:MIME-Version:Received:In-Reply-To:References:From:Date:Message-ID:Subject:To:Content-Type; b=i78zVv1ffZdbyGxX9iqC18ML8U4Fr1dRjfz/xv8ENDi9lwn7WLS1FTm4/5mGyxTtoJEZEJcdrjRVnnF8UX31amrBJ/Z2994zldQIP6l8eB5X+bUL7e/bzoxepwB7LL0zy+dhvRBbqFZcxycPtkYA/jii5uH+6/4reialQoAsZDE= X-Yahoo-Newman-Id: 985047.62144.bm@smtp124.mail.ir2.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: jRWb_2wVM1noCgBbw2DLFhpYFnCbJKTprNgbXFEEXlkZXre B91xfxKE9mFbTEG5p9UgdyYDsMO5yo6unO1OwfRxnBYyLw2R04g9Y.5KOwYH jTyxv5K1_ovjwAAMYUBcWTAxSuRTwaZWBWjHrnV94TA7NZkZYhQ72GScQw8d iGlol4yIfQO_hyqtmjG5nL_DzXTnPWC6KrlkccjPkIQdanSEWhPrpo1TE1EV kRUZ4grqCsnAD_znGh39cyGd9juVw7zKbM2caDaCpGd1AcVFRcdqoCuwKhji XnGeDsnPx3z7Xmaptbo3Bw6ZIO_lx86iE6scokBexZZ3OaUNZwAHwu4A63.A vAHQpqBdBdprkFzT61fQHxGjUXh.enK45guBxM4JixARR2a9HgvCYnhYmORY qWau.MicNfNdSnUNjgPtXa7Fx_0CAcNdDW2TyBRkQDlkXb8c6gD3XKGLczFu X0wlhXAK.SQvhcvE.k13DQs2JQbbCuS64IoQJzSX6voRub6tBtcJDNQNQNF4 NvoT4dfn1L02lDUhbo9ERAmwmXG4enyPQCk6J7vMoSfn5NMydLQ4K8BBaigy s9K1bvNGG4QvrAaVAUQpA6I.SAtn2EhCIkgA8ISkmRhs4L911YAyR X-Yahoo-SMTP: S65s63SswBDjU54Gjqw2GSWlZmfgiEU_X3tN1_9u Received: by mail-yk0-f176.google.com with SMTP id 19so4829555ykq.7 for ; Wed, 03 Sep 2014 04:08:27 -0700 (PDT) X-Received: by 10.236.79.230 with SMTP id i66mr1524672yhe.136.1409742507704; Wed, 03 Sep 2014 04:08:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.170.95.70 with HTTP; Wed, 3 Sep 2014 04:08:07 -0700 (PDT) In-Reply-To: <5152f44f37895d107ae439997bc4cc3c@mailbox.ijs.si> References: <20140903061024.GA14382@rwpc15.gfn.riverwillow.net.au> <5152f44f37895d107ae439997bc4cc3c@mailbox.ijs.si> From: Axel Date: Wed, 3 Sep 2014 13:08:07 +0200 Message-ID: Subject: Re: [Bulk] Re: Stale NTP software included in FreeBSD (RELEASE/STABLE/CURRENT) To: Mark Martinec , "freebsd-stable@freebsd.org" , john.marshall@riverwillow.com.au Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2014 11:10:38 -0000 On Wed, Sep 3, 2014 at 11:56 AM, Mark Martinec wrote: > 2014-09-03 08:10, John Marshall wrote: > >> All of the following FreeBSD releases included stale NTP software at the >> time of their release. >> >> 8.3-RELEASE (ntp 4.2.4p5) >> 8.4-RELEASE (ntp 4.2.4p5) >> 9.0-RELEASE (ntp 4.2.4p8) >> 9.1-RELEASE (ntp 4.2.4p8) >> 9.2-RELEASE (ntp 4.2.4p8) >> 9.3-RELEASE (ntp 4.2.4p8) >> 10.0-RELEASE (ntp 4.2.4p8) >> >> ntp 4.2.4 is the version that shipped in all of the above releases and >> is also included in 10-STABLE and 11-CURRENT at present. ntp 4.2.4 was >> superseded by the ntp 4.2.6 release on 12-Dec-2009. Is there any >> interest in getting a supported version of the ntp software into the >> upcoming 10.1 release? I would have thought that the latest patch >> release of the stable ntp version (4.2.6p5 24-DEC-2011) would be >> appropriate? I know that the ntp folks are working on releasing 4.2.8 >> but it isn't quite there yet. >> >> I understand that this is a volunteer project and that volunteers don't >> have time to do everything. I'm just waving the flag in case this is >> something that may have been overlooked. >> >> Thank you to all those committers who look after vendor imports for all >> of the contributed software that helps make up the FreeBSD releases. >> > > A version ntp-4.2.6p5 is in ports (net/ntp), but is marked as > forbidden due to CVE-2013-5211: > > The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 > allows remote attackers to cause a denial of service (traffic > amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 > requests, as exploited in the wild in December 2013. > > Just recently I came across another problem with the 4.2.4 from base, > which ended up with me opening a PR on the ntp bugzilla: > > Bug 2648 - 'restrict default' should imply both IP protocol families > http://bugs.ntp.org/show_bug.cgi?id=2648 > > Did you tried to add: restrict default ignore restrict -6 default ignore I follow steps described here: http://support.ntp.org/bin/view/Support/AccessRestrictions > ... only to realize later that by mistake I was testing against the > FreeBSD base version of ntp, and the problem is fixed in net/ntp-devel . > > The thing is that when trying to address the amplification attack by > restricting ntp queries, it turns out that the 'restrict default' > only applies to IPv4, and the IPv6 access is left open wide. > Still need to figure out which version fixed that, it works > as expected in the current 4.2.7p470. > > So, I'm definitely for upgrading the ntp to something more recent. > The exact version remains to be investigated. > > Mark >