From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 23:46:53 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AB8FDC9 for ; Mon, 22 Dec 2014 23:46:53 +0000 (UTC) Received: from mail-qa0-x232.google.com (mail-qa0-x232.google.com [IPv6:2607:f8b0:400d:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 639B764E1B for ; Mon, 22 Dec 2014 23:46:53 +0000 (UTC) Received: by mail-qa0-f50.google.com with SMTP id dc16so3913379qab.9 for ; Mon, 22 Dec 2014 15:46:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=xClucoLFSVqSyQwSYkkDdM86Jeb4P6CdmIaiXuzGbdI=; b=K9O1iSrOPBUPwI/W5iXkzF9oq3of+FEOHJRD1oo5AYI7dFC7tmLp9oelUpjiM22KBf Apd0PNtfjsN3sC+Hud9WmKPbVjK5GmPPUOgZwtoOAxfiIKRJLsPckdeYu89UhvlNTvE1 MDXPuEsn8lz+qZJPyNiFk2YO2+c/HDRW7R611lIphP/P4Co8bjjCG49/GxIXXBMFNGvC u9ITxYKWVuLXgDcsSJ2Gk/bhzhItb+opRwlrVSelsWIOlyiy50taiBbh83l+KnOvcEQT KEX9a3T0rRUNAnXizYVqEot2AEuXHGmY6FyaOLXhHwIH8KWC91tQrtQQzDhuA/wQThiJ iuLg== MIME-Version: 1.0 X-Received: by 10.140.18.236 with SMTP id 99mr38792776qgf.52.1419292012512; Mon, 22 Dec 2014 15:46:52 -0800 (PST) Received: by 10.140.18.145 with HTTP; Mon, 22 Dec 2014 15:46:52 -0800 (PST) In-Reply-To: <86a92fzmls.fsf@nine.des.no> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <86a92fzmls.fsf@nine.des.no> Date: Mon, 22 Dec 2014 18:46:52 -0500 Message-ID: Subject: Re: ntpd vulnerabilities From: Robert Simmons To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Winfried Neessen X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 23:46:53 -0000 On Mon, Dec 22, 2014 at 11:16 AM, Dag-Erling Sm=C3=B8rgrav wro= te: > Yes, FreeBSD is vulnerable, and we have informed CERT of that fact, so I > don't know why they have us down as "unknown". We are preparing an > advisory for tomorrow. As was the case with BIND, this takes more work > than for many other operating systems since we maintain older versions > in older branches; for instance, 8.4 has 4.2.4. It looks like all supported FreeBSD versions use 4.2.4. At least CURRENT and 10.1 report that as the version: Dec 22 23:35:56 ntpd[660]: ntpd 4.2.4p5-a (1) Will 4.2.8 be pulled into CURRENT eventually, or is the plan to replace it entirely with ntimed?