From owner-freebsd-security@FreeBSD.ORG Fri Jan 10 05:18:58 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 04D2682C; Fri, 10 Jan 2014 05:18:58 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DC8A91615; Fri, 10 Jan 2014 05:18:57 +0000 (UTC) Received: from delphij-macbook.local (unknown [IPv6:2001:470:83bf:0:55fe:7829:8dd4:8880]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 093B229474; Thu, 9 Jan 2014 21:18:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1389331137; bh=BSd54+mSPSaovn5cbpAv/OrvypGwiwntDt6zk0TruRA=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=L389wa3CcB7UPrLRcbUUb08o04NGGPz2HlhrcZ/zRh6HRZ/0RUs7lfeixCmtLhnBV iozw9fDFOLhTpbwpTt9lX/a7L1QxLlCVL4arx5CVLPvOuD+eFkhlBtkNGI1KawnJzM MNh3PmxoLEGAsrZuH3f+6LewvXd76xhLoYovdcls= Message-ID: <52CF82C0.9040708@delphij.net> Date: Thu, 09 Jan 2014 21:18:56 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Palle Girgensohn , Eugene Grosbein Subject: Re: NTP security hole CVE-2013-5211? References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> In-Reply-To: <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jan 2014 05:18:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 1/9/14, 6:12 AM, Palle Girgensohn wrote: > > 9 jan 2014 kl. 15:08 skrev Eugene Grosbein : > >> On 09.01.2014 19:38, Palle Girgensohn wrote: >>> They recommend at least 4.2.7. Any thoughts about this? >> >> Other than updating ntpd, you can filter out requests to >> 'monlist' command with 'restrict ... noquery' option that >> disables some queries for the internal ntpd status, including >> 'monlist'. >> >> See http://support.ntp.org/bin/view/Support/AccessRestrictions >> for details. > > Yes. But shouldn't there be a security advisory for FreeBSD > specifically? We will have an advisory next week. If a NTP server is properly configured, it's likely that they are not affected (the old FreeBSD default is a little bit vague on how to properly configure the daemon, though; the new default on -CURRENT and supported -STABLE branches should be sufficient to provide protection). Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSz4K/AAoJEJW2GBstM+nsoUAQAIR/IQrDnVlWYyQfRdL8dUQV fuR0FSyE84rcaHR8GJ9D5ApWbB1GrO61VE+NkMp7wBhZ1UmSseMX8J63aXz7gEna O7Lgsigjt0CloQk5A+uoiSuKxuicy3OaO5m9dYEb9/hIt2QgLzuWJEFxYYxtzNqp 16ndCq9BXRIjqiYjcH1rTqKmHvnOGDGLNDpArVDEkqToHur72d051xDUPHBUJzir FMkuIroiucLd5fHp90L7ZkDl/g2xOFEqd6U9XIExusCDPYzA/KYZNFnEegPpAuuD GXQ6wSDIVZzqgjuzERgw8ElaQ50NUvr4FWLTV6HV7aa+Ut5UF4CeFoBYf2xO1uUu FravU2uoiOVqjir1UtNEY1yP3fXceegkT8T+4e+oCTUslSBVXsiES8iSfHQib0eK wMSwelFCflfrLwiq97GjetBS66EUn00y/U3M3RUjlx4e0FIycLi5ZYy4XMkJlM2a jXE63iynfk9N02tO3/K1a8Yrp7mIYY3drn43BOJeXL72QMumFxi81aO4NQdrBTMw X49unE6bK4RZ5Ao4SdAWP/2vJfFnYLamc3cr1fvZ14XEyEXuVygmojoPPRdYkuj7 2OfMUv2m1BUUR8P4XIe6GN3UIY+kgK+JxddCU1WmLV8lYNloP0hQD62jtrB6J4A4 OzC38C6p+35khP0bZLhO =wpEM -----END PGP SIGNATURE-----