From owner-freebsd-security@FreeBSD.ORG  Sat Nov  2 20:24:57 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id CBB1844D;
 Sat,  2 Nov 2013 20:24:57 +0000 (UTC)
 (envelope-from kpielorz_lst@tdx.co.uk)
Received: from mail.tdx.com (mail.tdx.com [62.13.128.18])
 by mx1.freebsd.org (Postfix) with ESMTP id 911642732;
 Sat,  2 Nov 2013 20:24:57 +0000 (UTC)
Received: from study64.tdx.co.uk (study64.tdx.co.uk [62.13.130.231])
 (authenticated bits=0)
 by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id rA2KOn76046183
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Sat, 2 Nov 2013 20:24:49 GMT
Date: Sat, 02 Nov 2013 20:24:48 +0100
From: Karl Pielorz <kpielorz_lst@tdx.co.uk>
To: Dimitry Andric <dim@FreeBSD.org>
Subject: Re: ntpd 4.2.4p8 - up to date?
Message-ID: <F148DAE409EE1AAB9AA06D6C@study64.tdx.co.uk>
In-Reply-To: <E520736B-8D62-4A97-AFFD-14F44B1CC290@FreeBSD.org>
References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk>
 <CAFHbX1LAcE4c_E5J4pdny0hkz=GTPghmsB0kRuTDQdP9S8PCHg@mail.gmail.com>
 <E520736B-8D62-4A97-AFFD-14F44B1CC290@FreeBSD.org>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 20:24:57 -0000



--On 2 November 2013 01:18:24 +0100 Dimitry Andric <dim@FreeBSD.org> wrote:

>> [1] http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html
>
> That page lists a bunch of CVEs, and the relevant ones have already had
> FreeBSD security advisories:
>
> CVE-2009-3563
> 	http://www.freebsd.org/security/advisories/FreeBSD-SA-10:02.ntpd.asc
> CVE-2009-1252
> 	http://www.freebsd.org/security/advisories/FreeBSD-SA-09:11.ntpd.asc
> CVE-2009-0159	not relevant, NTP before 4.2.4p7-RC2
> CVE-2009-0021	not relevant, NTP before 4.2.4p5
> CVE-2004-0657	not relevant, NTP before 4.0

So as I'd kind of guessed - it's not really vanilla 4.2.4p8 that it's 
running, it's based on 4.2.4p8 with additional patches that have been 
applied by FreeBSD, to address the applicable notifications?

-Karl