From owner-freebsd-security@FreeBSD.ORG Fri Nov 1 16:31:09 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id EAA9A237 for ; Fri, 1 Nov 2013 16:31:09 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 786EE2897 for ; Fri, 1 Nov 2013 16:31:09 +0000 (UTC) Received: by mail-lb0-f171.google.com with SMTP id x18so3644107lbi.16 for ; Fri, 01 Nov 2013 09:31:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=RKibIA2e0oZpPRDnad1qTdK4weBlqDENjTrHatQXaec=; b=L2yP5Ylz4RZXfXK9OYFUI19DCJM61ZoZgRnc45LdEu1f401OkpiVTTiVGSWJ/yPlwK Cmz5LYdXoEB2r8oWsp7/m49mEj1yVBtzRFNRbu2wnp/XnUs+zbA9KJhggzD8/6tjvgZz OEpoaoR37rkUPsrwlbpbYutXuKg/z9ZnkiXZS0/kvqDudvZX6mJVgRDEqs309MzYxu6h N2TmGcYg5X9enVRsGgYRfGGi8I139suUk2v0SRdba0MtcyjznetGPdHrwBxJ6BAOHqxO LnCYj+RaufS6LD6O2EGIZhYqqrIrI+nbptZ5RbiiHiinPhqwJBN6HKGdWOCv0tFqBO7g jcNw== MIME-Version: 1.0 X-Received: by 10.152.21.133 with SMTP id v5mr2528021lae.14.1383323467415; Fri, 01 Nov 2013 09:31:07 -0700 (PDT) Received: by 10.112.45.33 with HTTP; Fri, 1 Nov 2013 09:31:07 -0700 (PDT) In-Reply-To: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> Date: Fri, 1 Nov 2013 16:31:07 +0000 Message-ID: Subject: Re: ntpd 4.2.4p8 - up to date? From: Tom Evans To: Karl Pielorz Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Nov 2013 16:31:10 -0000 On Fri, Nov 1, 2013 at 4:05 PM, Karl Pielorz wrote: > > Hi, > > A friend who uses linux a lot happened to notice on a FreeBSD box I > installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. > > They reckon that's had a lot of issues (e.g. CVE reports) against it - and > it should be newer. > > I'm sure the one it has been 'updated' with is secure - and just reports > that version, but if someone can confirm that'd be great, > Don't take anything I say as confirmation, but I would have thought, looking at this page [1], that he is wrong. All the CVEs listed there say they apply to "before 4.2.4p8" or a lower version. Cheers Tom [1] http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html