From owner-freebsd-security@FreeBSD.ORG  Fri Jan 10 05:16:54 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1030273A;
 Fri, 10 Jan 2014 05:16:54 +0000 (UTC)
Received: from anubis.delphij.net (anubis.delphij.net
 [IPv6:2001:470:1:117::25])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id E0EC015F2;
 Fri, 10 Jan 2014 05:16:53 +0000 (UTC)
Received: from delphij-macbook.local (unknown
 [IPv6:2001:470:83bf:0:55fe:7829:8dd4:8880])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by anubis.delphij.net (Postfix) with ESMTPSA id C912129376;
 Thu,  9 Jan 2014 21:16:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis;
 t=1389331013; bh=X6XsrwBLH5Bw+rJ9Gg0oIBDt84/oEDD3RBTIvY50bWE=;
 h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To;
 b=x3hIk51dVhcO3DeujWT3HJeLZ8KjMGwXXAlZN1oAKukfiAop/BGuXad6ObDHeSRRh
 0difJUY1yzmPLennxHyhSpgQHgUDiKRwRn0M6tAMo3ie/yQQDUjsssbExheTjltD/T
 yV1gN96SDBSvr0g7ZsjP5Hm4JRigK7bLQDlzoSD8=
Message-ID: <52CF8243.7060906@delphij.net>
Date: Thu, 09 Jan 2014 21:16:51 -0800
From: Xin Li <delphij@delphij.net>
Organization: The FreeBSD Project
MIME-Version: 1.0
To: Garrett Wollman <wollman@bimajority.org>, 
 Eugene Grosbein <eugen@grosbein.net>
Subject: Re: UNS: Re: NTP security hole CVE-2013-5211?
References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org>
 <52CEAD69.6090000@grosbein.net>
 <21199.26019.698585.355699@hergotha.csail.mit.edu>
In-Reply-To: <21199.26019.698585.355699@hergotha.csail.mit.edu>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org, Palle Girgensohn <girgen@FreeBSD.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: d@delphij.net
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 05:16:54 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 1/9/14, 7:14 PM, Garrett Wollman wrote:
> <<On Thu, 09 Jan 2014 21:08:41 +0700, Eugene Grosbein
> <eugen@grosbein.net> said:
> 
>> Other than updating ntpd, you can filter out requests to
>> 'monlist' command with 'restrict ... noquery' option that
>> disables some queries for the internal ntpd status, including
>> 'monlist'.
> 
> For a "pure" client, I would suggest "restrict default ignore"
> ought to be the norm.  (Followed by entries to unrestrict localhost
> over v4 and v6.)

That would block clock synchronization too, unless one explicitly
unrestrict all NTP servers.  With pool.ntp.org, this is not really
practical.

The current default on head stable branches should work for most people.

Cheers,

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSz4JDAAoJEJW2GBstM+nsBLgP/0OeSbaXbMlKduDYfZcsTNrL
1jbS3HFCBQCX96CMaYzFOvak6FBmYu5VMP0kX3OOXCvOEP0onraXOsiwxsjh+Aqw
HA6JkqWlR4Qlrlnje3JAnwwS84cK+EM7HcPuvZ1aGVip4wFlxZo5d4MT48YwJfH9
fO6KOiXABAc0RLM9RDHx5P485dlRem6IVSsT2IIStPfoff0vYXoa5kKP5MI+6sOR
5NUsTKANxcGDfpLt/pGt2iTG5rOoLH+38dGqQ7803C8fG4QvO8hz9PpRaG4/tM+L
LgcMPueL7aVmyRQcoAY2i2U/FSGyqNg7uTfUc4WHWsb8uj0Pmcqc3U5VXO4keE1a
u8WFqL39p1lcrunmu1UWnzpe46GbQGY3CeqPm9glLs48Vi5vLfeEjPlYnEsu9YM6
pVbznQPgHSzPVLW5AAmGaKq/KO/2s5dsPHRH7Z8V2beB+/PQX3hyG+YQUCJLz12K
35TdcvTSsIbtSBNKNcJIV5OF60XoSzuveBOwM9EPhRfF0BPJElvZjtz09OevIkZK
urvzybV1sV6T1qi9je1lhF6SGcS/aolejfNWOQrFq2ZTny1pyKigi5Yz8i5yhUI7
s2/sUE7YjkL0GgwTwuAqjW4lGBnSsdCVgx7tS1SnnWoyXdSUj+8dRiZApwMxXdN6
LZFUkUIAt91WUGTjwM8v
=V8xs
-----END PGP SIGNATURE-----