From owner-freebsd-security@FreeBSD.ORG Sat Nov 2 00:18:36 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2FD4E78C for ; Sat, 2 Nov 2013 00:18:36 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E0F7B226A for ; Sat, 2 Nov 2013 00:18:35 +0000 (UTC) Received: from [IPv6:2001:7b8:3a7::174:a45e:dad6:ebfd] (unknown [IPv6:2001:7b8:3a7:0:174:a45e:dad6:ebfd]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 402885C45; Sat, 2 Nov 2013 01:18:33 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_AFE44133-5409-4CEA-AA9C-185A660ECAAE"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1816\)) Subject: Re: ntpd 4.2.4p8 - up to date? From: Dimitry Andric In-Reply-To: Date: Sat, 2 Nov 2013 01:18:24 +0100 Message-Id: References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> To: Tom Evans X-Mailer: Apple Mail (2.1816) X-Mailman-Approved-At: Sat, 02 Nov 2013 01:11:38 +0000 Cc: freebsd-security@freebsd.org, Karl Pielorz X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Nov 2013 00:18:36 -0000 --Apple-Mail=_AFE44133-5409-4CEA-AA9C-185A660ECAAE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 01 Nov 2013, at 17:31, Tom Evans wrote: > On Fri, Nov 1, 2013 at 4:05 PM, Karl Pielorz = wrote: >>=20 >> Hi, >>=20 >> A friend who uses linux a lot happened to notice on a FreeBSD box I >> installed the other day and updated to 9.2-R that it's using ntpd = 4.2.4p8. >>=20 >> They reckon that's had a lot of issues (e.g. CVE reports) against it = - and >> it should be newer. >>=20 >> I'm sure the one it has been 'updated' with is secure - and just = reports >> that version, but if someone can confirm that'd be great, >>=20 >=20 > Don't take anything I say as confirmation, but I would have thought, > looking at this page [1], that he is wrong. All the CVEs listed there > say they apply to "before 4.2.4p8" or a lower version. >=20 > Cheers >=20 > Tom >=20 > [1] = http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html That page lists a bunch of CVEs, and the relevant ones have already had = FreeBSD security advisories: CVE-2009-3563 = http://www.freebsd.org/security/advisories/FreeBSD-SA-10:02.ntpd.asc CVE-2009-1252 = http://www.freebsd.org/security/advisories/FreeBSD-SA-09:11.ntpd.asc CVE-2009-0159 not relevant, NTP before 4.2.4p7-RC2 CVE-2009-0021 not relevant, NTP before 4.2.4p5 CVE-2004-0657 not relevant, NTP before 4.0 -DImitry --Apple-Mail=_AFE44133-5409-4CEA-AA9C-185A660ECAAE Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iEYEARECAAYFAlJ0RNcACgkQsF6jCi4glqOiMQCgqEK/KuTOr2w4M7U5gzf7WkgS kDgAoKmSKYv02vDgwFz1H/N9PQEWkdyQ =7dOs -----END PGP SIGNATURE----- --Apple-Mail=_AFE44133-5409-4CEA-AA9C-185A660ECAAE--