From owner-freebsd-security@FreeBSD.ORG Sat Nov 2 22:59:43 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1E7406FA for ; Sat, 2 Nov 2013 22:59:43 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from yoshi.bluerosetech.com (yoshi.bluerosetech.com [IPv6:2607:f2f8:a450::66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0575B2D5C for ; Sat, 2 Nov 2013 22:59:43 +0000 (UTC) Received: from chombo.houseloki.net (unknown [IPv6:2601:7:1680:365:21c:c0ff:fe7f:96ee]) by yoshi.bluerosetech.com (Postfix) with ESMTPSA id 48C93E606C; Sat, 2 Nov 2013 15:59:42 -0700 (PDT) Received: from [IPv6:2601:7:1680:365:4055:e8ed:3d40:2f96] (unknown [IPv6:2601:7:1680:365:4055:e8ed:3d40:2f96]) by chombo.houseloki.net (Postfix) with ESMTPSA id 3AE80DE3; Sat, 2 Nov 2013 15:59:41 -0700 (PDT) Message-ID: <527583D4.70409@bluerosetech.com> Date: Sat, 02 Nov 2013 15:59:32 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: Karl Pielorz , freebsd-security@freebsd.org Subject: Re: ntpd 4.2.4p8 - up to date? References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> In-Reply-To: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Nov 2013 22:59:43 -0000 On 11/1/2013 9:05 AM, Karl Pielorz wrote: > A friend who uses linux a lot happened to notice on a FreeBSD box I > installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. There are two ntpd's in ports: a newer version of the one in base (it's literally a drop in replacement) and OpenBSD's openntpd. If you just need a local accurate clock and maybe time service for your LAN, the one in base is ok because you can configure it to workaround the open CVEs. If you're running a public NTP service, you can't workaround spoofing vulnerabilities, so use one of the ports because you can keep it up to date much more easily. You can remove ntpd from the base yourself: 1. Add "WITHOUT_NTP" to /etc/src.conf 2. Run the delete-old and delete-old-libs targets to "uninstall" the base ntpd. 3. Install ports/etc/ntp The port uses the in-base RC script, so you need to set ntpd_program="/usr/local/bin/ntpd" ntpd_config="/usr/local/etc/ntp.conf" in /etc/rc.conf to repoint the script at the port. You don't have to move ntp.conf, but /etc/ntp.conf gets removed by the delete-old target.