From owner-freebsd-security@FreeBSD.ORG Tue Jan 14 13:11:43 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 879C9106; Tue, 14 Jan 2014 13:11:43 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 47AF71358; Tue, 14 Jan 2014 13:11:41 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 331237565; Tue, 14 Jan 2014 13:11:37 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 764403420B; Tue, 14 Jan 2014 14:11:32 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Garrett Wollman Subject: Re: UNS: Re: NTP security hole CVE-2013-5211? References: <52CEAD69.6090000@grosbein.net> <21199.26019.698585.355699@hergotha.csail.mit.edu> Date: Tue, 14 Jan 2014 14:11:32 +0100 In-Reply-To: <21199.26019.698585.355699@hergotha.csail.mit.edu> (Garrett Wollman's message of "Thu, 9 Jan 2014 22:14:43 -0500") Message-ID: <868uuid7y3.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Palle Girgensohn X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 13:11:43 -0000 Garrett Wollman writes: > For a "pure" client, I would suggest "restrict default ignore" ought > to be the norm. (Followed by entries to unrestrict localhost over v4 > and v6.) Pure clients shouldn't use ntpd(8). They should use sntp(8) or a lightweight NTP client like ttsntpd. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no