From owner-freebsd-stable@FreeBSD.ORG Wed Sep 3 12:16:48 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4F231A35; Wed, 3 Sep 2014 12:16:48 +0000 (UTC) Received: from webmail.dweimer.net (24-240-198-187.static.stls.mo.charter.com [24.240.198.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "webmail2.dweimer.local", Issuer "webmail2.dweimer.local" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0031C1E17; Wed, 3 Sep 2014 12:16:47 +0000 (UTC) Received: from www.dweimer.net (webmail [192.168.5.2]) by webmail.dweimer.net (8.14.7/8.14.7) with ESMTP id s83CGddk057705 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 3 Sep 2014 07:16:40 -0500 (CDT) (envelope-from dweimer@dweimer.net) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 03 Sep 2014 07:16:39 -0500 From: dweimer To: Ronald Klop Subject: Re: Stale NTP software included in FreeBSD (RELEASE/STABLE/CURRENT) Organization: dweimer.net Reply-To: dweimer@dweimer.net Mail-Reply-To: dweimer@dweimer.net In-Reply-To: References: <20140903061024.GA14382@rwpc15.gfn.riverwillow.net.au> Message-ID: <79435abc6a25af126747cdd036a8fafa@dweimer.net> X-Sender: dweimer@dweimer.net User-Agent: Roundcube Webmail/1.0.2 Cc: owner-freebsd-stable@freebsd.org, freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2014 12:16:48 -0000 On 09/03/2014 6:39 am, Ronald Klop wrote: > On Wed, 03 Sep 2014 08:10:24 +0200, John Marshall > wrote: > >> All of the following FreeBSD releases included stale NTP software at >> the >> time of their release. >> >> 8.3-RELEASE (ntp 4.2.4p5) >> 8.4-RELEASE (ntp 4.2.4p5) >> 9.0-RELEASE (ntp 4.2.4p8) >> 9.1-RELEASE (ntp 4.2.4p8) >> 9.2-RELEASE (ntp 4.2.4p8) >> 9.3-RELEASE (ntp 4.2.4p8) >> 10.0-RELEASE (ntp 4.2.4p8) >> >> ntp 4.2.4 is the version that shipped in all of the above releases and >> is also included in 10-STABLE and 11-CURRENT at present. ntp 4.2.4 >> was >> superseded by the ntp 4.2.6 release on 12-Dec-2009. Is there any >> interest in getting a supported version of the ntp software into the >> upcoming 10.1 release? I would have thought that the latest patch >> release of the stable ntp version (4.2.6p5 24-DEC-2011) would be >> appropriate? I know that the ntp folks are working on releasing 4.2.8 >> but it isn't quite there yet. >> >> I understand that this is a volunteer project and that volunteers >> don't >> have time to do everything. I'm just waving the flag in case this is >> something that may have been overlooked. >> >> Thank you to all those committers who look after vendor imports for >> all >> of the contributed software that helps make up the FreeBSD releases. >> > > I think that before discussing 10.1 it is nice to create patches for > 11-CURRENT and try to update it there. I think it would likely be a good idea for someone to address the 4.2.6 being marked as FORBIDDEN since January with a reference to CVE-2013-5211 / VU#348126 before its put in base. I have been running a few of my servers using WITHOUT_NTP in /etc/src.conf and running the ports version as the old version number gets flagged in PCI scans, now sadly I run the ntp-devel port on 4.2.7, which is probably less secure, but does pass the scans. -- Thanks, Dean E. Weimer http://www.dweimer.net/